Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
Threat Actor Profile
Pinchy Spider
Pinchy Spider, also known as Gold Southfield, is a financially motivated cybercriminal group originating from Russia. Active since 2018, they are infamous for developing and operating GandCrab and REvil ransomware under a Ransomware-as-a-Service (RaaS) model. Their operations focus on high-value targets using advanced tactics like lateral movement and data exfiltration.
Threat Actor Profile
Pinchy Spider
Country of Origin
Pinchy Spider is believed to operate out of Russia. This assumption is supported by their avoidance of targeting systems in Russia and other Commonwealth of Independent States (CIS) countries.
Members
The exact size of the group is unknown. Pinchy Spider operates through a network of affiliates who execute ransomware attacks using their RaaS platform.
Leadership
The leadership of Pinchy Spider remains unknown. However, their operations suggest a highly organized structure with clear roles for developers and affiliates.
Pinchy Spider TTPs
Tactics
The primary goal of Pinchy Spider is financial gain through ransomware attacks targeting enterprises and critical infrastructure.
Techniques
-
Exploiting vulnerabilities in public-facing applications (e.g., Oracle WebLogic).
-
Using stolen credentials for lateral movement via RDP.
-
Employing phishing campaigns to gain initial access.
Procedures
-
Deploying GandCrab and REvil ransomware.
-
Utilizing tools like Cobalt Strike and certutil for reconnaissance and persistence.
-
Encrypting individual hosts and demanding per-host ransoms.
Want to Shut Down Threats Before They Start?
Indicators of Compromise (IoCs)
The following are some known indicators of compromise associated with Pinchy Spider:
GandCrab v5.2 SHA256:
329b3ddbf1c00b7767f0ec39b90eb9f4
f8bd98ace60e2f6b6fbfb9adf25e3ef9
Phorpiex Loader SHA256:
5a1ab27b99f3fe6cbe825f2743c77347a7
339783f8a22d99a54be2d07b94c1a8
Key Victims
Pinchy Spider has targeted several high-profile organizations and industries. Notable victims include:
Texas local governments, which were hit in a coordinated ransomware attack in 2019.
CyrusOne, a major data center provider in the United States, which suffered a ransomware attack in 2019.
Travelex, a global foreign exchange company, which was attacked in late 2019.
JBS Foods, a leading global food processing company, which was targeted in 2021.
Notable Cyberattacks
Pinchy Spider has been linked to several significant cyberattacks:
GandCrab Campaigns (2018-2019): These campaigns targeted enterprises worldwide and generated over $2 billion in ransom payments. The group’s innovative RaaS model allowed affiliates to execute attacks on a large scale.
REvil Operations (2019-2021): Pinchy Spider transitioned to using REvil ransomware, which became one of the most prevalent ransomware tools. High-profile incidents included attacks on managed service providers and critical infrastructure, such as the Colonial Pipeline incident.
Law Enforcement & Arrests
Law enforcement agencies have made significant progress in combating Pinchy Spider and its affiliates:
In 2020, a GandCrab operator was arrested in Belarus, marking a major breakthrough in disrupting the group’s operations.
In 2021, several REvil affiliates were arrested in Romania and Kuwait, further weakening the group’s network.
In 2024, Russian authorities sentenced members of the REvil ransomware group to over four years in prison, demonstrating international efforts to hold cybercriminals accountable.
How to Defend Against Pinchy Spider
1
Deploy advanced endpoint protection solutions and anti-phishing technologies to detect and block malicious activities.
2
Regularly patch vulnerabilities in software and systems to prevent exploitation by attackers.
3
Segment networks to limit the lateral movement of attackers within the environment.
Use Huntress Platform Tools to detect and mitigate ransomware threats effectively, ensuring robust protection against Pinchy Spider’s tactics.
References
