Adversary

Pinchy Spider

ORIGIN

Eastern Europe, Russian Federation

Community Identifiers

GandCrab, REvil, Sodinokibi, GOLD GARDEN, GOLD SOUTHFIELD

Pinchy Spider is a criminal group behind the development and operation of the ransomware named REvil (aka Sodinokibi) that was brought into operation at the beginning of April 2019.

Pinchy Spider sells access to their ransomware under a partnership program with a limited number of accounts, often referred to as Ransomware-as-a-Service (RaaS). The criminal actor was first known as the developer of the ransomware GandCrab, which was active between January 2018 and the end of May 2019.

REvil
Samples of REvil were first identified in early April 2019, while GandCrab remained active. Analysis by CrowdStrike Intelligence identified several overlaps in code—as well as Tactics, Techniques, and Procedures (TTPs)—that confirm a link between the GandCrab and REvil operations, including RC4 string decryption, information gathering, command-and-control (C2) techniques, and file encryption. CrowdStrike Intelligence has attributed Pinchy Spider to the operation of REvil, with Pinchy Spider formed of some individuals who operated the now defunct GandCrab and new individuals from a former GandCrab affiliate network.

GandCrab
GandCrab first emerged at the end of January 2018 and it is one of the first known ransomware families to accept the DASH cryptocurrency and utilize the cryptocurrency Namecoin TLD .bit, which acts as an alternative, decentralized domain name system.

On 31 May 2019, Pinchy Spider stated in a forum post that they were retiring from operations and that the GandCrab partnership program was being closed down. The actor requested no further distribution campaigns and gave members of the partner program 28 days to monetize any remaining infections.

Technical Tradecraft

  • Use of RC4 for string decryption
  • Enumeration of keyboard layout lists for locale verification
  • Enumeration and termination of processes associated with ransomware targeted files
  • Enumeration of domain name for RU TLD to prevent encryption of Russian companies

Targeted Nations

  • Flag Icon of the country Argentina

    Argentina

  • Flag Icon of the country Australia

    Australia

  • Flag Icon of the country Belgium

    Belgium

  • Flag Icon of the country Brazil

    Brazil

  • Flag Icon of the country Canada

    Canada

  • Flag Icon of the country Chile

    Chile

  • Flag Icon of the country China

    China

  • Flag Icon of the country Europe

    Europe

  • Flag Icon of the country France

    France

  • Flag Icon of the country Germany

    Germany

  • Flag Icon of the country Hong Kong

    Hong Kong

  • Flag Icon of the country Indonesia

    Indonesia

  • Flag Icon of the country Italy

    Italy

  • Flag Icon of the country Jamaica

    Jamaica

  • Flag Icon of the country Japan

    Japan

  • Flag Icon of the country Luxembourg

    Luxembourg

  • Flag Icon of the country Mexico

    Mexico

  • Flag Icon of the country Norway

    Norway

  • Flag Icon of the country Singapore

    Singapore

  • Flag Icon of the country Slovenia

    Slovenia

  • Flag Icon of the country South Africa

    South Africa

  • Flag Icon of the country South Korea

    South Korea

  • Flag Icon of the country Spain

    Spain

  • Flag Icon of the country Sweden

    Sweden

  • Flag Icon of the country Switzerland

    Switzerland

  • Flag Icon of the country Trinidad And Tobago

    Trinidad And Tobago

  • Flag Icon of the country United Arab Emirates

    United Arab Emirates

  • Flag Icon of the country United Kingdom

    United Kingdom

  • Flag Icon of the country United States

    United States

Target Industries

  • Agriculture
  • Automotive
  • Biomedical
  • Chemicals
  • Consulting & Professional Services
  • Consumer Goods
  • Cryptocurrency
  • Food and Beverage
  • Hospitality
  • Industrials and Engineering
  • Legal
  • Logistics
  • Maritime
  • NGOs and Nonprofits
  • Opportunistic
  • Real Estate
  • State & Municipal Government
  • Academic
  • Energy
  • Government
  • Media
  • Retail
  • Technology

Artwork

Adversary: Pinchy Spider - Threat Actor

Crowdstrike Pinchy Spider

I have read and accept the terms and conditions

Download

Explore Next Adversary

Remix Kitten

All Adversaries 17

Explore Next Adversary

Terms and conditions

In order to download the adversary artwork, we kindly request you to accept our terms and conditions displayed below.

This image (“artwork”), is the intellectual property of CrowdStrike, Inc. and its affiliates and licensors (collectively, “us” or “we”) and may include other marks, trademarks, copyrighted materials, and other intellectual property (“assets”) that belong t o us, including, without limitation, CrowdStrike, the CrowdStrike logo, and CrowdStrike Falcon. We retain all right, title and interest in and to the artwork and all assets included therein. This artwork is offered to you as a convenience for your lawful a nd non-commercial use, solely as authorized by us, and subject to your compliance with these terms and conditions (“terms”) and any other guidelines or specifications that we may provide from time to time. We reserve the right to change these terms at any time without prior notice.

You should periodically check the latest information posted herein to be sure that you are in compliance. By downloading the artwork, you attest that you are at least 18 years of age and agree to the following terms, which const itute the sole and entire agreement between you and us with respect to the artwork. We reserve all rights not expressly granted to you herein. You may not use or display the artwork in any way: (i) that violates the rights of any person or entity or that may give rise to civil or criminal liability under laws or regulations applicable to you, another user, and/or CrowdStrike; (ii) that is defamatory, obscene, indecent, abusive, harassing, violent, hateful, inflammatory or otherwise objectionable; (iii) tha t is false, deceptive, misleading or fraudulent, including but not limited to: (a) any attempt to impersonate any person or entity, including any other user, CrowdStrike or a CrowdStrike employee; (b) any attempt to misrepresent your identity or affiliation with any person or organization; or (iv) for the purposes of recruiting, advertising, solicitation or commercial activities of any kind without our express written consent.

THE ARTWORK IS PROVIDED TO YOU BY CROWDSTRIKE ON AN “AS IS” AND “AS AVAILABLE” BA SIS, WITHOUT ANY WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. EXCEPT TO THE EXTENT THAT A DISCLAIMER OF LIABILITY IS PROHIBITED UNDER APPLICABLE LAW, IN NO EVENT WILL CROWDSTRIKE, ITS AFFILIATES AND ITS LICENSORS, EMPLOYEES, AGENTS, OFFICERS AND DIRE CTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF OR IN CONNECTION WITH YOUR USE, OR INABILITY TO USE, THE ARTWORK.