Pinchy Spider, Gold Southfield - Threat Group Cards: A Threat Actor Encyclopedia Archived: 2026-04-05 13:42:56 UTC Home > List all groups > Pinchy Spider, Gold Southfield APT group: Pinchy Spider, Gold Southfield Names Pinchy Spider (CrowdStrike) Gold Southfield (SecureWorks) Gold Garden (SecureWorks) G0115 (MITRE) Country Russia Motivation Financial gain First seen 2018 Description (CrowdStrike) CrowdStrike Intelligence has recently observed Pinchy Spider affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated w nation-state adversary groups and penetration testing teams. This change in tactics makes Pinchy Spider and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomwar deployments known as “big game hunting.” Pinchy Spider is the criminal group behind the development of the ransomware most commonly known as Gand which has been active since January 2018. Pinchy Spider sells access to use GandCrab ransomware under a par program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to customer), as is common among eCrime actors, but Pinchy Spider is also willing to negotiate up to a 70-30 spli “sophisticated” customers. GandCrab and Sodinokibi have been observed to be distributed by DanaBot (operated by Scully Spider, TA547 Taurus Loader (operated by Venom Spider, Golden Chickens). Observed Countries: Worldwide. Tools used certutil, Cobalt Strike, GandCrab, Sodinokibi, VIDAR. Operations performed Apr 2019Sodinokibi ransomware exploits WebLogic Server vulnerability Jun 2019 Yesterday night, a source in the malware community has told ZDNet that the GandCrab RaaS ope formally announced plans to shut down their service within a month. The announcement was made in an official thread on a well-known hacking forum, where the Gan RaaS has advertised its service since January 2018, when it formally launched. Aug 2019 Over 20 Texas local governments hit in 'coordinated ransomware attack' Dec 2019 CyrusOne, one of the biggest data center providers in the US, has suffered a ransomware attack, Z has learned. https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2 Page 1 of 7 Dec 2019 Sodinokibi Ransomware Behind Travelex Fiasco: Report Dec 2019 A crypto virus that attacked the Albany County Airport Authority's computer management provid during the Christmas holiday period ended up infecting the authority's servers as well, encrypting and demanding a ransom payment. Jan 2020 New Jersey Synagogue Suffers Sodinokibi Ransomware Attack Jan 2020 Sodinokibi Ransomware Publishes Stolen Data for the First Time They claim this data belongs to Artech Information Systems, who describe themselves as a 'minor women-owned diversity supplier and one of the largest IT staffing companies in the U.S', and that will release more if a ransom is not paid. Feb 2020 The operators of the Sodinokibi Ransomware (REvil) have started urging affiliates to copy their v data before encrypting computers so it can be used as leverage on a new data leak site that is bein launched soon. Feb 2020 The operators behind Sodinokibi Ransomware published download links to files containing what claim is financial and work documents, as well as customers' personal data stolen from giant U.S. house Kenneth Cole Productions. Mar 2020 The operators of the Sodinokibi Ransomware are threatening to publicly share a company's 'dirty' financial secrets because they refused to pay the demanded ransom. As organizations decide to restore their data manually or via backups instead of paying ransoms, ransomware operators are escalating their attacks. Mar 2020 Recently, the Sodinokibi Ransomware operators published over 12 GB of stolen data allegedly be to a company named Brooks International for not paying the ransom. Apr 2020 Sodinokibi Ransomware to stop taking Bitcoin to hide money trail Apr 2020 SeaChange video platform allegedly hit by Sodinokibi ransomware May 2020 REvil ransomware threatens to leak A-list celebrities' legal docs https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2 Page 2 of 7 May 2020 REvil ransomware gang publishes 'Elexon staff's passports' after UK electrical middleman shrugs attack May 2020 Here come REvil ransomware operators with another massive data leak. In this instance, they leak confidential data of Agromart Group, well-known crop production partners. Jun 2020 REvil ransomware creates eBay-like auction site for stolen data Jun 2020 REvil ransomware operators have been observed while scanning one of their victim's network for of Sale (PoS) servers by researchers with Symantec's Threat Intelligence team. Jun 2020 The threat actor behind the Sodinokibi (REvil) ransomware is demanding a $14 million ransom fr Brazilian-based electrical energy company Light S.A. Jul 2020 A ransomware gang has infected the internal network of Telecom Argentina, one of the country's l internet service providers, and is now asking for a $7.5 million ransom demand to unlock encrypt Jul 2020 Administrador de Infraestructuras Ferroviarias (ADIF), a Spanish state-owned railway infrastruct manager was hit by REVil ransomware operators. Aug 2020 Brown-Forman, one of the largest U.S. companies in the spirits and wine business, suffered a cyb attack. The intruders allegedly copied 1TB of confidential data. Sep 2020 REvil ransomware deposits $1 million in hacker recruitment drive Oct 2020 REvil ransomware gang claims over $100 million profit in a year Oct 2020 Today, the threat actors added GPI (Gaming Partners International) to their dedicated leak site. GP describes itself as a leading provider of casino currency and table game equipment worldwide. Nov 2020 Managed web hosting provider Managed.com has taken their servers and web hosting systems off they struggle to recover from a weekend REvil ransomware attack. https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2 Page 3 of 7 Jan 2021 Pan-Asian retail giant Dairy Farm suffers REvil ransomware attack Mar 2021 Ransomware gang plans to call victim's business partners about attacks Mar 2021 Computer giant Acer hit by $50 million ransomware attack Mar 2021 REvil ransomware has a new ‘Windows Safe Mode’ encryption mode Mar 2021 REvil ransomware can now reboot infected devices Apr 2021 Asteelflash electronics maker hit by REvil ransomware attack Apr 2021 REvil ransomware now changes password to auto-login in Safe Mode Apr 2021 Leading cosmetics group Pierre Fabre hit with $25 million ransomware attack Apr 2021 REvil gang tries to extort Apple, threatens to sell stolen blueprints Apr 2021 Brazil's Rio Grande do Sul court system hit by REvil ransomware May 2021 FBI: JBS ransomware attack was carried out by REvil Jun 2021 Fujifilm confirms ransomware attack disrupted business operations Jun 2021 US nuclear weapons contractor Sol Oriens has suffered a cyberattack allegedly at the hands of the ransomware gang, which claims to be auctioning data stolen during the attack. Jun 2021 Relentless REvil, revealed: RaaS as variable as the criminals who use it Jun 2021 Healthcare giant Grupo Fleury hit by REvil ransomware attack https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2 Page 4 of 7 Jun 2021 Fashion titan French Connection says 'FCUK' as REvil-linked ransomware makes off with data Jul 2021 Spanish telecom giant MasMovil hit by Revil ransomware gang Jul 2021 Kaseya hijacked, thousands attacked by REvil, fix delayed again Jul 2021 REvil ransomware gang's web sites mysteriously shut down Sep 2021 UK VoIP telco receives 'colossal ransom demand', reveals REvil cybercrooks suspected of 'organi DDoS attacks on UK VoIP companies Sep 2021 REvil ransomware group returns following Kaseya attack Sep 2021 REvil ransomware is back in full attack mode and leaking data Sep 2021 REvil ransomware devs added a backdoor to cheat affiliates Oct 2021 Hong Kong marketing firm Fimmick has been hit with a ransomware attack, according to a Britis cybersecurity firm monitoring the situation. Jan 2022 After Russian Arrests, REvil Implants Persist Apr 2022 REvil's TOR sites come alive to redirect to new ransomware operation May 2022 REvil ransomware returns: New malware sample confirms gang is back May 2022 REvil Resurgence? Or a Copycat? Counter operations Jul 2020 GandCrab ransomware operator arrested in Belarus Sep 2021 REvil Affiliates Confirm: Leadership Were Cheating Dirtbags Oct 2021 REvil ransomware shuts down again after Tor sites were hijacked https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2 Page 5 of 7 Oct 2021 Two ransomware operators arrested in Ukraine Oct 2021 German investigators identify REvil ransomware gang core member Nov 2021 REvil ransomware affiliates arrested in Romania and Kuwait Nov 2021 US seizes $6 million from REvil ransomware, arrest Kaseya hacker Nov 2021 Five affiliates to Sodinokibi/REvil unplugged Nov 2021 U.S. offers $10 million reward for leaders of REvil ransomware Nov 2021 FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs Jan 2022 Russia arrests REvil ransomware gang members, seize $6.6 million May 2024 Sodinokibi/REvil Affiliate Sentenced for Role in $700M Ransomware Scheme Information MITRE ATT&CK Last change to this card: 16 August 2025 https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2 Page 6 of 7 Download this actor card in PDF or JSON format Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2 https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2 Page 7 of 7