Pinchy Spider  (Back to overview)

First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates. CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.” PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.

---

Associated Families

---

References

2020-06-23 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team @online{team:20200623:sodinokibi:7eff193, author = {Critical Attack Discovery and Intelligence Team}, title = {{Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike}}, date = {2020-06-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos}, language = {English}, urldate = {2020-06-23} } Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike Cobalt Strike REvil

2020-06-22 ⋅ CERT-FR ⋅ CERT-FR @techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505 Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot

2020-06-02 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200602:revil:883c59f, author = {Catalin Cimpanu}, title = {{REvil ransomware gang launches auction site to sell stolen data}}, date = {2020-06-02}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/}, language = {English}, urldate = {2020-06-03} } REvil ransomware gang launches auction site to sell stolen data REvil

2020-05-21 ⋅ Intel 471 ⋅ Intel 471 @online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505 AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot

2020-05-07 ⋅ REDTEAM.PL ⋅ Adam Ziaja @online{ziaja:20200507:sodinokibi:f5c5cd1, author = {Adam Ziaja}, title = {{Sodinokibi / REvil ransomware}}, date = {2020-05-07}, organization = {REDTEAM.PL}, url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html}, language = {English}, urldate = {2020-05-13} } Sodinokibi / REvil ransomware Maze MimiKatz REvil

2020-04-28 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team @online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood

2020-04-11 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200411:sodinokibi:82f9f79, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware to stop taking Bitcoin to hide money trail}}, date = {2020-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/}, language = {English}, urldate = {2020-04-26} } Sodinokibi Ransomware to stop taking Bitcoin to hide money trail REvil

2020-04-09 ⋅ Graham Cluley Blog ⋅ Graham Cluley @online{cluley:20200409:travelex:bb5a2d7, author = {Graham Cluley}, title = {{Travelex paid hackers $2.3 million worth of Bitcoin after ransomware attack}}, date = {2020-04-09}, organization = {Graham Cluley Blog}, url = {https://www.grahamcluley.com/travelex-paid-ransom/}, language = {English}, urldate = {2020-04-26} } Travelex paid hackers $2.3 million worth of Bitcoin after ransomware attack REvil

2020-03-31 ⋅ Intel 471 ⋅ Intel 471 @online{471:20200331:revil:0e5226a, author = {Intel 471}, title = {{REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation}}, date = {2020-03-31}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/}, language = {English}, urldate = {2020-04-01} } REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation Gandcrab REvil

2020-03-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil

2020-03-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200307:ransomware:f839049, author = {Lawrence Abrams}, title = {{Ransomware Threatens to Reveal Company's 'Dirty' Secrets}}, date = {2020-03-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/}, language = {English}, urldate = {2020-03-11} } Ransomware Threatens to Reveal Company's 'Dirty' Secrets REvil

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team @online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER

2020-03-03 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare

2020-02-29 ⋅ Security Affairs ⋅ Pierluigi Paganini @online{paganini:20200229:sodinokibi:799a623, author = {Pierluigi Paganini}, title = {{Sodinokibi Ransomware gang threatens to disclose data from Kenneth Cole fashion firm}}, date = {2020-02-29}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html}, language = {English}, urldate = {2020-03-11} } Sodinokibi Ransomware gang threatens to disclose data from Kenneth Cole fashion firm REvil

2020-02-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200226:sodinokibi:7d730ac, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware May Tip NASDAQ on Attacks to Hurt Stock Prices}}, date = {2020-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/}, language = {English}, urldate = {2020-03-02} } Sodinokibi Ransomware May Tip NASDAQ on Attacks to Hurt Stock Prices REvil

2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua @online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus

2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz @techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor

2020-02-02 ⋅ Nullteilerfrei Blog ⋅ Lars Wallenborn @online{wallenborn:20200202:defeating:95aa07e, author = {Lars Wallenborn}, title = {{Defeating Sodinokibi/REvil String-Obfuscation in Ghidra}}, date = {2020-02-02}, organization = {Nullteilerfrei Blog}, url = {https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/}, language = {English}, urldate = {2020-02-09} } Defeating Sodinokibi/REvil String-Obfuscation in Ghidra REvil

2020-01-30 ⋅ Under The Breach ⋅ Under The Breach @online{breach:20200130:tracking:bfa4550, author = {Under The Breach}, title = {{Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods}}, date = {2020-01-30}, organization = {Under The Breach}, url = {https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80}, language = {English}, urldate = {2020-01-31} } Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods REvil

2020-01-30 ⋅ Digital Shadows ⋅ Photon Research Team @online{team:20200130:competitions:90773f4, author = {Photon Research Team}, title = {{Competitions on Russian-language cybercriminal forums: Sharing expertise or threat actor showboating?}}, date = {2020-01-30}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/}, language = {English}, urldate = {2020-02-03} } Competitions on Russian-language cybercriminal forums: Sharing expertise or threat actor showboating? REvil

2020-01-29 ⋅ ANSSI ⋅ ANSSI @techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam

2020-01-28 ⋅ KPN ⋅ KPN @online{kpn:20200128:tracking:6c628f3, author = {KPN}, title = {{Tracking REvil}}, date = {2020-01-28}, organization = {KPN}, url = {https://www.kpn.com/security-blogs/Tracking-REvil.htm}, language = {English}, urldate = {2020-01-28} } Tracking REvil REvil

2020-01-26 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff, Sean Wilson @online{frankoff:20200126:ida:a8194b4, author = {Sergei Frankoff and Sean Wilson}, title = {{IDA Pro Automated String Decryption For REvil Ransomware}}, date = {2020-01-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=l2P5CMH9TE0}, language = {English}, urldate = {2020-01-27} } IDA Pro Automated String Decryption For REvil Ransomware REvil

2020-01-23 ⋅ Bleeping Computer ⋅ Sergiu Gatlan @online{gatlan:20200123:sodinokibi:86b1d46, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Threatens to Publish Data of Automotive Group}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/}, language = {English}, urldate = {2020-01-23} } Sodinokibi Ransomware Threatens to Publish Data of Automotive Group REvil

2020-01-20 ⋅ Virus Bulletin ⋅ AhnLab Security Analysis Team @online{team:20200120:behind:edefc01, author = {AhnLab Security Analysis Team}, title = {{Behind the scenes of GandCrab’s operation}}, date = {2020-01-20}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/}, language = {English}, urldate = {2020-01-20} } Behind the scenes of GandCrab’s operation Gandcrab

2020-01-18 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200118:new:4ad3c25, author = {Lawrence Abrams}, title = {{New Jersey Synagogue Suffers Sodinokibi Ransomware Attack}}, date = {2020-01-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/}, language = {English}, urldate = {2020-01-22} } New Jersey Synagogue Suffers Sodinokibi Ransomware Attack REvil

2020-01-17 ⋅ Secureworks ⋅ Tamada Kiyotaka, Keita Yamazaki, You Nakatsuru @techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack? Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware

2020-01-11 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200111:sodinokibi:8fe0ebe, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Publishes Stolen Data for the First Time}}, date = {2020-01-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/}, language = {English}, urldate = {2020-01-20} } Sodinokibi Ransomware Publishes Stolen Data for the First Time REvil

2020-01-10 ⋅ CSIS ⋅ CSIS @techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019 Gustuff magecart Emotet Gandcrab Ramnit TrickBot

2020-01-10 ⋅ BleepingComputer ⋅ Sergiu Gatlan @online{gatlan:20200110:sodinokibi:73cbf66, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Hits New York Airport Systems}}, date = {2020-01-10}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/}, language = {English}, urldate = {2020-01-20} } Sodinokibi Ransomware Hits New York Airport Systems REvil

2020-01-09 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200109:sodinokibi:c0204cc, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another}}, date = {2020-01-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/}, language = {English}, urldate = {2020-01-13} } Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another REvil

2020-01-06 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20200106:sodinokibi:1feb8a3, author = {Ionut Ilascu}, title = {{Sodinokibi Ransomware Hits Travelex, Demands $3 Million}}, date = {2020-01-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/}, language = {English}, urldate = {2020-01-13} } Sodinokibi Ransomware Hits Travelex, Demands $3 Million REvil

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:bc28839, author = {SecureWorks}, title = {{GOLD SOUTHFIELD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-southfield}, language = {English}, urldate = {2020-05-23} } GOLD SOUTHFIELD REvil

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:c7d5baf, author = {SecureWorks}, title = {{GOLD GARDEN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-garden}, language = {English}, urldate = {2020-05-23} } GOLD GARDEN Gandcrab

2019-12-18 ⋅ Hatching.io ⋅ Pete Cowman @online{cowman:20191218:understanding:d629d14, author = {Pete Cowman}, title = {{Understanding Ransomware Series: Detecting Sodin}}, date = {2019-12-18}, organization = {Hatching.io}, url = {https://hatching.io/blog/ransomware-part2}, language = {English}, urldate = {2020-01-08} } Understanding Ransomware Series: Detecting Sodin REvil

2019-12-12 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20191212:another:77246f4, author = {Lawrence Abrams}, title = {{Another Ransomware Will Now Publish Victims' Data If Not Paid}}, date = {2019-12-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/}, language = {English}, urldate = {2020-01-05} } Another Ransomware Will Now Publish Victims' Data If Not Paid REvil

2019-12-04 ⋅ Elastic ⋅ David French @online{french:20191204:ransomware:92a6fae, author = {David French}, title = {{Ransomware, interrupted: Sodinokibi and the supply chain}}, date = {2019-12-04}, organization = {Elastic}, url = {https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain}, language = {English}, urldate = {2020-06-30} } Ransomware, interrupted: Sodinokibi and the supply chain REvil

2019-11-09 ⋅ Lars Wallenborn @online{wallenborn:20191109:apihashing:ec59534, author = {Lars Wallenborn}, title = {{API-Hashing in the Sodinokibi/Revil Ransomware - Why and How?}}, date = {2019-11-09}, url = {https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/}, language = {English}, urldate = {2019-12-18} } API-Hashing in the Sodinokibi/Revil Ransomware - Why and How? REvil

2019-11 ⋅ Virus Bulletin ⋅ Alexandre Mundo Alguacil, John Fokker @online{alguacil:201911:vb2019:a565e76, author = {Alexandre Mundo Alguacil and John Fokker}, title = {{VB2019 paper: Different ways to cook a crab: GandCrab ransomware-as-a-service (RaaS) analysed in depth}}, date = {2019-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/}, language = {English}, urldate = {2020-01-08} } VB2019 paper: Different ways to cook a crab: GandCrab ransomware-as-a-service (RaaS) analysed in depth Gandcrab

2019-10-20 ⋅ McAfee ⋅ Jessica Saavedra-Morales, Ryan Sherstobitoff, Christiaan Beek @online{saavedramorales:20191020:mcafee:237cd1b, author = {Jessica Saavedra-Morales and Ryan Sherstobitoff and Christiaan Beek}, title = {{McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo}}, date = {2019-10-20}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/}, language = {English}, urldate = {2020-01-09} } McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo REvil

2019-10-02 ⋅ McAfee ⋅ McAfee Labs @online{labs:20191002:mcafee:1a04182, author = {McAfee Labs}, title = {{McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us}}, date = {2019-10-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/}, language = {English}, urldate = {2019-12-22} } McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us Gandcrab REvil

2019-09-24 ⋅ Secureworks ⋅ CTU Research Team @online{team:20190924:revilsodinokibi:646c88c, author = {CTU Research Team}, title = {{REvil/Sodinokibi Ransomware}}, date = {2019-09-24}, organization = {Secureworks}, url = {https://www.secureworks.com/research/revil-sodinokibi-ransomware}, language = {English}, urldate = {2020-01-08} } REvil/Sodinokibi Ransomware REvil

2019-09-24 ⋅ Secureworks ⋅ CTU Research Team @online{team:20190924:revil:3f165f3, author = {CTU Research Team}, title = {{REvil: The GandCrab Connection}}, date = {2019-09-24}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/revil-the-gandcrab-connection}, language = {English}, urldate = {2020-01-08} } REvil: The GandCrab Connection REvil

2019-08-30 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20190830:look:9a976c7, author = {Ionut Ilascu}, title = {{A Look Inside the Highly Profitable Sodinokibi Ransomware Business}}, date = {2019-08-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/}, language = {English}, urldate = {2019-12-20} } A Look Inside the Highly Profitable Sodinokibi Ransomware Business REvil

2019-08-23 ⋅ The New York Times ⋅ Manny Fernandez, David E. Sanger, Marina Trahan Martinez @online{fernandez:20190823:ransomware:dffa5db, author = {Manny Fernandez and David E. Sanger and Marina Trahan Martinez}, title = {{Ransomware Attacks Are Testing Resolve of Cities Across America}}, date = {2019-08-23}, organization = {The New York Times}, url = {https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html}, language = {English}, urldate = {2020-01-13} } Ransomware Attacks Are Testing Resolve of Cities Across America REvil

2019-08-10 ⋅ Dissecting Malware ⋅ Marius Genheimer @online{genheimer:20190810:germanwipers:96d9745, author = {Marius Genheimer}, title = {{GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!}}, date = {2019-08-10}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html}, language = {English}, urldate = {2020-03-27} } GermanWiper's big Brother? GandGrab's kid ? Sodinokibi! REvil

2019-07-15 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20190715:is:4e715d7, author = {Brian Krebs}, title = {{Is ‘REvil’ the New GandCrab Ransomware?}}, date = {2019-07-15}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/}, language = {English}, urldate = {2020-01-06} } Is ‘REvil’ the New GandCrab Ransomware? REvil

2019-07-08 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20190708:whos:54977ab, author = {Brian Krebs}, title = {{Who’s Behind the GandCrab Ransomware?}}, date = {2019-07-08}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/}, language = {English}, urldate = {2020-01-07} } Who’s Behind the GandCrab Ransomware? Gandcrab

2019-07-03 ⋅ Kaspersky Labs ⋅ Orkhan Mamedov, Artur Pakulov, Fedor Sinitsyn @online{mamedov:20190703:sodin:74c101f, author = {Orkhan Mamedov and Artur Pakulov and Fedor Sinitsyn}, title = {{Sodin ransomware exploits Windows vulnerability and processor architecture}}, date = {2019-07-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/sodin-ransomware/91473/}, language = {English}, urldate = {2019-12-20} } Sodin ransomware exploits Windows vulnerability and processor architecture REvil

2019-06-24 ⋅ VirIT ⋅ Gianfranco Tonello, Michele Zuin, Federico Girotto @online{tonello:20190624:ransomware:d1922b8, author = {Gianfranco Tonello and Michele Zuin and Federico Girotto}, title = {{Ransomware REvil - Sodinokibi: Technical analysis and Threat Intelligence Report}}, date = {2019-06-24}, organization = {VirIT}, url = {https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004}, language = {English}, urldate = {2020-01-08} } Ransomware REvil - Sodinokibi: Technical analysis and Threat Intelligence Report REvil

2019-06-24 ⋅ Fortinet ⋅ Joie Salvio @online{salvio:20190624:gandcrab:6120cb2, author = {Joie Salvio}, title = {{GandCrab Threat Actors Retire...Maybe}}, date = {2019-06-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html}, language = {English}, urldate = {2020-01-08} } GandCrab Threat Actors Retire...Maybe Gandcrab

2019-06-17 ⋅ Bitdefender ⋅ Bogdan Botezatu @online{botezatu:20190617:good:c24ed06, author = {Bogdan Botezatu}, title = {{Good riddance, GandCrab! We’re still fixing the mess you left behind}}, date = {2019-06-17}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind}, language = {English}, urldate = {2020-01-10} } Good riddance, GandCrab! We’re still fixing the mess you left behind Gandcrab

2019-06-14 ⋅ Certego ⋅ Matteo Lodi @online{lodi:20190614:malware:c93f3de, author = {Matteo Lodi}, title = {{Malware Tales: Sodinokibi}}, date = {2019-06-14}, organization = {Certego}, url = {https://www.certego.net/en/news/malware-tales-sodinokibi/}, language = {English}, urldate = {2019-12-17} } Malware Tales: Sodinokibi REvil

2019-06-03 ⋅ SC Magazine ⋅ Doug Olenick @online{olenick:20190603:gandcrab:9ed3174, author = {Doug Olenick}, title = {{GandCrab ransomware operators put in retirement papers}}, date = {2019-06-03}, organization = {SC Magazine}, url = {https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/}, language = {English}, urldate = {2020-01-08} } GandCrab ransomware operators put in retirement papers Gandcrab

2019-06-01 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20190601:gandcrab:cb581e3, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion}}, date = {2019-06-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/}, language = {English}, urldate = {2019-12-20} } GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion Gandcrab

2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc. @techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam Unidentified 062 (Lazarus/RAT)

2019-04-30 ⋅ Cisco Talos ⋅ Pierre Cadieux, Colin Grady, Jaeson Schultz, Matt Valites @online{cadieux:20190430:sodinokibi:d04e315, author = {Pierre Cadieux and Colin Grady and Jaeson Schultz and Matt Valites}, title = {{Sodinokibi ransomware exploits WebLogic Server vulnerability}}, date = {2019-04-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html}, language = {English}, urldate = {2019-12-17} } Sodinokibi ransomware exploits WebLogic Server vulnerability REvil

2019-03-06 ⋅ CrowdStrike ⋅ Brendon Feeley, Bex Hartley, Sergei Frankoff @online{feeley:20190306:pinchy:f5060bd, author = {Brendon Feeley and Bex Hartley and Sergei Frankoff}, title = {{PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware}}, date = {2019-03-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/}, language = {English}, urldate = {2019-12-20} } PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware Gandcrab Phorpiex Pinchy Spider Zombie Spider

2019-02-19 ⋅ Bitdefender ⋅ Bogdan Botezatu @online{botezatu:20190219:new:21079a9, author = {Bogdan Botezatu}, title = {{New GandCrab v5.1 Decryptor Available Now}}, date = {2019-02-19}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/}, language = {English}, urldate = {2019-10-15} } New GandCrab v5.1 Decryptor Available Now Gandcrab

2019-01-07 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20190107:gandcrab:8167b7f, author = {Ionut Ilascu}, title = {{GandCrab Operators Use Vidar Infostealer as a Forerunner}}, date = {2019-01-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/}, language = {English}, urldate = {2019-12-20} } GandCrab Operators Use Vidar Infostealer as a Forerunner Gandcrab vidar

2019 ⋅ CrowdStrike ⋅ CrowdStrike @online{crowdstrike:2019:2019:4e50c97, author = {CrowdStrike}, title = {{2019 CrowdStrike Global Threat Report}}, date = {2019}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/}, language = {English}, urldate = {2020-01-08} } 2019 CrowdStrike Global Threat Report Boss Spider Flash Kitten Guru Spider Judgment Panda Leviathan Lunar Spider Nomad Panda Pinchy Spider Ratpak Spider Salty Spider Skeleton Spider Tiny Spider

2018-11-08 ⋅ TC Contre ⋅ tcontre @online{tcontre:20181108:re:c143721, author = {tcontre}, title = {{R.E.: Gandcrab Downloader.. 'There's More To This Than Meets The Eye'}}, date = {2018-11-08}, organization = {TC Contre}, url = {https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html}, language = {English}, urldate = {2020-01-09} } R.E.: Gandcrab Downloader.. 'There's More To This Than Meets The Eye' Gandcrab

2018-10-25 ⋅ Bitdefender ⋅ Bogdan Botezatu @online{botezatu:20181025:gandcrab:4e85fe9, author = {Bogdan Botezatu}, title = {{GandCrab Ransomware decryption tool}}, date = {2018-10-25}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/}, language = {English}, urldate = {2020-01-10} } GandCrab Ransomware decryption tool Gandcrab

2018-10-25 ⋅ Europol ⋅ Europol @online{europol:20181025:pay:d82bbfc, author = {Europol}, title = {{Pay No More: universal GandCrab decryption tool released for free on No More Ransom}}, date = {2018-10-25}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom}, language = {English}, urldate = {2019-11-26} } Pay No More: universal GandCrab decryption tool released for free on No More Ransom Gandcrab

2018-07-19 ⋅ Sensors Tech Forum ⋅ Ventsislav Krastev @online{krastev:20180719:killswitch:487a882, author = {Ventsislav Krastev}, title = {{Killswitch File Now Available for GandCrab v4.1.2 Ransomware}}, date = {2018-07-19}, organization = {Sensors Tech Forum}, url = {https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/}, language = {English}, urldate = {2020-01-07} } Killswitch File Now Available for GandCrab v4.1.2 Ransomware Gandcrab

2018-07-18 ⋅ ASEC ⋅ AhnLab ASEC Analysis Team @online{team:20180718:gandcrab:dc09385, author = {AhnLab ASEC Analysis Team}, title = {{GandCrab v4.1.2 Encryption Blocking Method (Kill Switch)}}, date = {2018-07-18}, organization = {ASEC}, url = {http://asec.ahnlab.com/1145}, language = {Korean}, urldate = {2020-01-08} } GandCrab v4.1.2 Encryption Blocking Method (Kill Switch) Gandcrab

2018-05-09 ⋅ Cisco Talos ⋅ Nick Biasini, Nick Lister, Christopher Marczewski @online{biasini:20180509:gandcrab:50296a6, author = {Nick Biasini and Nick Lister and Christopher Marczewski}, title = {{Gandcrab Ransomware Walks its Way onto Compromised Sites}}, date = {2018-05-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html}, language = {English}, urldate = {2019-10-21} } Gandcrab Ransomware Walks its Way onto Compromised Sites Gandcrab

2018-03-07 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20180307:ransomware:504a693, author = {Brad Duncan}, title = {{Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there}}, date = {2018-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/23417}, language = {English}, urldate = {2020-01-06} } Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there Gandcrab GlobeImposter

2018-02-08 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20180208:gandcrab:40fb494, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts}}, date = {2018-02-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/}, language = {English}, urldate = {2019-12-20} } GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts Gandcrab

2018-01-30 ⋅ Malwarebytes ⋅ Malwarebytes Labs @online{labs:20180130:gandcrab:86c30cb, author = {Malwarebytes Labs}, title = {{GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated)}}, date = {2018-01-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/}, language = {English}, urldate = {2019-12-20} } GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Gandcrab

2018-01-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20180129:gandcrab:9e003f9, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension}}, date = {2018-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/}, language = {English}, urldate = {2019-12-20} } GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension Gandcrab

---

Credits: MISP Project