Adversary
Pinchy Spider
ORIGIN
Eastern Europe, Russian Federation
Community Identifiers
GandCrab, REvil, Sodinokibi, GOLD GARDEN, GOLD SOUTHFIELD
Pinchy Spider is a criminal group behind the development and operation of the ransomware named REvil (aka Sodinokibi) that was brought into operation at the beginning of April 2019.
Pinchy Spider sells access to their ransomware under a partnership program with a limited number of accounts, often referred to as Ransomware-as-a-Service (RaaS). The criminal actor was first known as the developer of the ransomware GandCrab, which was active between January 2018 and the end of May 2019.
REvil
Samples of REvil were first identified in early April 2019, while GandCrab remained active. Analysis by CrowdStrike Intelligence identified several overlaps in code—as well as Tactics, Techniques, and Procedures (TTPs)—that confirm a link between the GandCrab and REvil operations, including RC4 string decryption, information gathering, command-and-control (C2) techniques, and file encryption. CrowdStrike Intelligence has attributed Pinchy Spider to the operation of REvil, with Pinchy Spider formed of some individuals who operated the now defunct GandCrab and new individuals from a former GandCrab affiliate network.
GandCrab
GandCrab first emerged at the end of January 2018 and it is one of the first known ransomware families to accept the DASH cryptocurrency and utilize the cryptocurrency Namecoin TLD .bit, which acts as an alternative, decentralized domain name system.
On 31 May 2019, Pinchy Spider stated in a forum post that they were retiring from operations and that the GandCrab partnership program was being closed down. The actor requested no further distribution campaigns and gave members of the partner program 28 days to monetize any remaining infections.
Technical Tradecraft
- Use of RC4 for string decryption
- Enumeration of keyboard layout lists for locale verification
- Enumeration and termination of processes associated with ransomware targeted files
- Enumeration of domain name for RU TLD to prevent encryption of Russian companies
Targeted Nations
Argentina
Australia
Belgium
Brazil
Canada
Chile
China
Europe
France
Germany
Hong Kong
Indonesia
Italy
Jamaica
Japan
Luxembourg
Mexico
Norway
Singapore
Slovenia
South Africa
South Korea
Spain
Sweden
Switzerland
Trinidad And Tobago
United Arab Emirates
United Kingdom
United States
Target Industries
- Agriculture
- Automotive
- Biomedical
- Chemicals
- Consulting & Professional Services
- Consumer Goods
- Cryptocurrency
- Food and Beverage
- Hospitality
- Industrials and Engineering
- Legal
- Logistics
- Maritime
- NGOs and Nonprofits
- Opportunistic
- Real Estate
- State & Municipal Government
- Academic
- Energy
- Government
- Media
- Retail
- Technology
Artwork

Crowdstrike Pinchy Spider
I have read and accept the terms and conditions