Pinchy Spider group takes up Big game hunting with GandCrab

The notorious Gandcrab ransomware is going big game hunting: developers and the affiliates now targeting enterprise organizations to increase profits

Pinchy Spider group employs Big game hunting tacticsThe hacking group Pinchy Spider and its affiliates are going for corporate networks by employing GandCrab ransomware

Pinchy Spider, the developer of RaaS-based GandCrab ransomware,[1] is now targeting larger organizations and recruiting cybercriminals that are versed in remote desktop protocol hacking operations, corporate network hacking and virtual network computing.

According to researchers Brendon Feeley, Bex Hartley and Sergei Frankoff from CrowdStrike intelligence reported[2] that the affiliates of GandCrab are using tools that are typically used by state-based hacking groups. This development tactic, known as “big game hunting” allows hackers to infect fewer computers/networks for a bigger profit margin.

GandCrab has been one of the most prevalent and devastating ransomware viruses in the past year

Pinchy Spider is the developer of GandCrab ransomware – malware that has been prominent since its creation back in January 2018. The group operates Ransomware-as-a-service scheme, where wanna-be hackers and, practically anyone, can distribute the malicious code for 40% cuts in profits, leaving 60% for the affiliates. However, with the “big game hunting” tactics, developers are willing to decrease the cut to 70-30, as long as distributors are skilled enough.

Security researchers at Bitdefender released a decryptor for all versions of the virus below 5.2 in February 2019.[3] This is the third decryptor that negates the consequences of the treacherous ransomware that infects thousands of users worldwide. However, the developers are quick to act, and the going for corporations instead of regular users will result in more profits for criminals.

Nevertheless, security researchers are actively working and even communicating with GandCrab research community:[2]

GandCrab contains multiple references to members of the research community who are both publicly active on social media and have reported on the ransomware.

The main catalyst for dedicated development by PINCHY SPIDER, however, has been an ongoing battle with cybersecurity providers that are actively developing GandCrab mitigations and decryptors. PINCHY SPIDER has responded by deploying fixes and even developed a zero-day exploit aimed at customers of one of those providers.

Remote desktop protocol attacks allow hackers to monitor the infection process in real-time

Remote desktop protocol attacks are performed with the help of stolen credentials of such mega-breaches like Collection #1,[4] Marriott chain breach and others. Hackers can connect to a targeted computer with the help of the stolen data and then upload the GandCrab virus onto the network manually.

The first such attack was observed in mid-February when CrowdStrike researchers noticed the new GandCrab infiltration tactic on a victim host machine. The bad actor initially failed to deploy the payload, but later returned to invade the network further. Once connected to the host computer, the hacker managed to turn off security software that was stopping the payload and then install malware manually.

From there, he or she was able to move laterally over the network, infecting a larger number of machines with the undecryptable GandCrab 5.2 version. The hacker took advantage of tools like Process Hacker, Sysinternals Process Monitor, and LAN Search Pro.

In another instance, researchers observed the hacker entering the network of a victim in a similar manner, but this time the domain controller was accessed, allowing the perpetrator inject the malicious payload into the system by using corporate software.

The example of the payload was examined, and it turned out to be not only explicitly related to Pinchy Spider or Gandcrab but also other malware like Azorult and XMRig.[5]

The change in new distribution tactics now also changes how GandCrab authors and affiliates earn money

GandCrab ransomware distributors often asked between $500 and $2,400 in Dash or Bitcoin for file decryptor. While many regular users did not find the deal appealing, they did not pay the ransom. In fact, those who were infected with version 5.1 and below and waited long enough for the decryptor to be released, recovered all personal data without significant losses. However, infecting corporations will result in more substantial payments due to the importance of the data that is tied to the business.

GandCrab distributors are going a slightly different direction than those of other major ransomware operators like SamSam or Ryuk.[6] Instead of asking for a large sum of money for decryption tool that would unlock files on the network, they ask for payment for each device individually.

Big game hunting attacks are more lucrative and continue to be successful, as organizations are faced with a difficult choice of paying ransom or not:

Both INDRIK SPIDER (with BitPaymer ransomware) and GRIM SPIDER (with Ryuk ransomware) have made headlines with their high profile victims and ransom profits, demonstrating that big game hunting is a lucrative enterprise. Running successful big game hunting operations results in a higher average profit per victim, allowing adversaries like PINCHY SPIDER and their partners to increase their criminal revenue quickly.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions