{ "id": "1c4a45e0-c011-4071-8d80-d65a7077ea77", "created_at": "2026-04-06T00:21:20.745012Z", "updated_at": "2026-04-10T13:12:03.792471Z", "deleted_at": null, "sha1_hash": "cc6d9f0b82c6f951d97b6d40b5f58c4ab021d3b6", "title": "The Evolution of PINCHY SPIDER from GandCrab to REvil | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 521944, "plain_text": "The Evolution of PINCHY SPIDER from GandCrab to REvil |\r\nCrowdStrike\r\nBy AdamM\r\nArchived: 2026-04-05 12:54:48 UTC\r\nFor years, ransomware was a nuisance that impacted individuals who were unfortunate enough to encounter it via\r\nbanking trojans, exploit kits or phishing attacks and resulted in a large number of small-value ransoms — typically\r\nhundreds of dollars per incident. In 2016, a terrifying new model began to emerge fueled by reports of high-value\r\nransom demands targeting hospitals and medical facilities that were forced to pay ransoms in the tens of thousands\r\nof dollars (see: “Ransomware: Understanding the Threat and Exploring Solutions,” Statement from Adam Meyers\r\nfor the Senate Judiciary Committee’s Subcommittee on Crime and Terrorism, May 18, 2016). These attacks,\r\nwhich we now call “big game hunting” (BGH), were conducted by well-known criminal groups using existing\r\nbanking trojans that were repurposed for enterprise ransomware attacks. This model of attacking the enterprise\r\nillustrates that attackers realized they could make far more money going after highly targeted organizations. These\r\ntargets started with healthcare but quickly morphed to large organizations that could calculate downtime in lost\r\nrevenue, where at some point not long after the attack, the cost of being offline was higher than the ransom\r\ndemand. This is what the attackers were counting on, and as such we observed manufacturing, technology,\r\nindustrial targets, state and local governments, and school districts all becoming attractive targets for big game\r\nhunters — organizations and verticals that often lagged broader industry in terms of security sophistication.\r\nThe Advent of RaaS (and Emergence of PINCHY SPIDER)\r\nWhat began with closed specialized groups conducting these attacks soon morphed into ransomware as a service\r\n(RaaS), where a small circle of developers with criminal intent would create a platform for building encrypters\r\nand decryptors, and managing the ransom notes and payment portals. These groups would take on affiliates,\r\nknown in Russian slang as “partnerkas,” who would leverage the platform for the actual ransom activity and be\r\nresponsible for the targeting, deployment and execution of the attack. These affiliates would then share the\r\nrevenue with the platform operators for the privilege to use the service.\r\nIn early 2018, one such RaaS, named GandCrab by its developers, hit the underground markets. The early versions\r\nof GandCrab had some implementation flaws, and the developers learned lessons that helped refine their business\r\nmodel. For example, early versions of GandCrab exchanged cryptographic keys insecurely, and organizations that\r\nrecorded all network sessions could recover the keys. GandCrab operators initially sought partners to help them\r\nevolve the platform by offering a revenue-sharing model, which continued to evolve over the years. Some of the\r\nprohibitions for the affiliates of GandCrab included:\r\nTargeting machines in Russia and other Commonwealth of Independent States (CIS) countries (the\r\nmalware will not infect machines using these keyboards and other parameters specific to these countries)\r\nUsing unverified antivirus scanners\r\nPublicly listing the admin panel .onion address\r\nhttps://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/\r\nPage 1 of 5\n\nReselling accounts\r\nOne of the notable differentiators for GandCrab included payment via the Dash cryptocurrency. Shortly after the\r\nintroduction of GandCrab, the payment portal was compromised, resulting in free decryptors being published. The\r\nadversary (i.e., GandCrab developer) responded by announcing a version 2.0 would be available as a result, which\r\nthey made good on within a week.\r\nCrowdStrike began tracking this ransomware platform developer as PINCHY SPIDER, observing that they\r\ncontinued to innovate with newer versions of the ransomware. Version 4.2.1 for example was released as a result\r\nof an antivirus company releasing a “vaccine” for version 4.1.2, indicating that PINCHY SPIDER actors were\r\ncontinuously monitoring social media and open sources for discussion of their tools. As the end-of-year holidays\r\nrolled around in 2018, PINCHY SPIDER announced that they would have limited support during the holidays but\r\nwould release a new version by the Russian Orthodox Christmas. GandCrab operations continued to improve and\r\ndevelop throughout the first half of 2019, but on May 31, 2019, they announced, “All good things come to an\r\nend,” claiming their affiliates made $2 billion USD over the previous year and that PINCHY SPIDER themselves\r\nmade $150 million USD. They announced that they would be shutting down in 20 days and that victims should\r\npay or lose their data forever.\r\nhttps://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/\r\nPage 2 of 5\n\nGandCrab Evolves Into REvil\r\nAs the GandCrab samples stopped being identified and the payment portal was decommissioned, another\r\nransomware began to become more prevalent, first identified a few months earlier and known as “Sodinokibi.”\r\nThis new ransomware shared technical overlaps as well as distribution and operational overlaps with GandCrab,\r\nleading CrowdStrike Intelligence to suspect these two ransomware were related. By July 2019, “REvil” became\r\nanother name for this new ransomware, which quickly became one of the more prevalent ransomware tools\r\nobserved.\r\nBy December of 2019, a managed service provider (MSP) became a victim of PINCHY SPIDER’s REvil\r\nransomware, demanding a $6 million USD payment. At the time, CrowdStrike Intelligence noted they “will likely\r\ncontinue to compromise managed service providers and make use of remote management software to spread\r\nREvil ransomware in order to ransom many companies from a single point of entry.” As the world became\r\nimpacted by the COVID-19 pandemic in early 2020, PINCHY SPIDER started capitalizing on a new trend of\r\nhttps://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/\r\nPage 3 of 5\n\nstealing data and further extorting the victim to pay for their data to not get publicly leaked, suggesting that\r\nvictims might be subject to fines due to the EU’s General Data Protection Regulation (GDPR) if they did not pay.\r\nIn May 2021, the Colonial Pipeline ransomware attack made headlines across the globe, prompting the U.S.\r\ngovernment to make statements about the attack and its implications. This attack was associated with another\r\nRaaS known as DarkSide, which CrowdStrike associates with CARBON SPIDER. As a result of the increased\r\nattention, PINCHY SPIDER issued new rules for their REvil RaaS affiliates, including the need to screen potential\r\nransomware victims prior to infection. Only a few weeks later, PINCHY SPIDER was associated with a second\r\nbreach targeting JBS, which resulted in additional statements from the U.S. Department of Justice indicating that\r\nransomware investigations would be conducted similar to counterterrorism investigations. This prompted someone\r\nassociated with PINCHY SPIDER to state that they were lifting targeting prohibitions, stating: “It no longer\r\nmakes sense to avoid working in the United States, all restrictions have been removed. You can work in all types of\r\nactivities of a given state.”\r\nProtection Against PINCHY SPIDER and REvil\r\nPINCHY SPIDER remains one of the most prevalent threat actors in the ransomware and data extortion space.\r\nProtecting against this type of threat requires organizations to get serious about security. Hope is not a strategy,\r\nand organizations closing their eyes and hoping they aren’t going to be hit by ransomware will not work. Here are\r\nfive things that can help: Secure the enterprise: This is what security experts have been saying for two decades:\r\nEnsure that the enterprise is defendable. Implementing sound security methodologies, patch management,\r\nvulnerability tracking and Zero Trust go a long way to help drive security and make an enterprise a harder target.\r\n(See the recent U.S. cybersecurity Executive Order and our blog post, “New Cybersecurity Executive Order: What\r\nIt Means for the Public Sector.”)\r\nEngage the threat: Waiting for the attacker to come to you is a dangerous precedent. Threat hunting ensures that\r\nany security incident, no matter how small, is investigated by dedicated hunters who go out and look for trouble.\r\nIf you can engage these threats quickly before they elevate privilege or move laterally, you can prevent the\r\nultimate objective, whether that is information theft or ransomware.\r\nNext-gen tech: Signature-based antivirus technology doesn’t cut it anymore. Machine learning classifiers that can\r\ndetermine if something is malicious based on its behavior or other observable traits are table stakes for defending\r\nthe enterprise today. Tabletop exercises: You play like you practice. You can have the best backup solution in the\r\nworld, but if you have no idea who to call, which systems to bring up first, or have never tested the recovery at\r\nscale, then you’re doing it for the first time during a major incident. A tabletop exercise can help build the muscle\r\nmemory that an organization needs so that its teams know what to do when a situation presents itself. These can be\r\nconducted quarterly or even monthly and have different scenarios to help ensure that everyone is training for\r\ndifferent threats. Intelligence: There are dozens of different big game hunting adversaries that operate today.\r\nUnderstanding how they operate, who they are and what they target can ensure that your enterprise defenders are\r\nready for the threat and know what to look for.\r\nAdditional Resources\r\nhttps://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/\r\nPage 4 of 5\n\nLearn more about PINCHY SPIDER, CARBON SPIDER and other ransomware adversaries in the\r\nCrowdStrike Adversary Universe.\r\nDownload the CrowdStrike 2021 Global Threat Report for more information about adversaries tracked by\r\nCrowdStrike Intelligence in 2020.\r\nSee how the powerful, cloud-native CrowdStrike Falcon® platform protects customers from DarkSide\r\nransomware in this blog: DarkSide Goes Dark: How CrowdStrike Falcon® Customers Were Protected.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/\r\nhttps://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/" ], "report_names": [ "the-evolution-of-revil-ransomware-and-pinchy-spider" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434880, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cc6d9f0b82c6f951d97b6d40b5f58c4ab021d3b6.pdf", "text": "https://archive.orkl.eu/cc6d9f0b82c6f951d97b6d40b5f58c4ab021d3b6.txt", "img": "https://archive.orkl.eu/cc6d9f0b82c6f951d97b6d40b5f58c4ab021d3b6.jpg" } }