According to CrowdStrike researchers, the criminal group behind the infamous GandCrab ransomware is nicknamed Pinchy Spider. The group has been selling access to the ransomware in a partnership program with a limited number of accounts.
It’s curious to note that the program offers a 60-40 split in profits, with 60 percent offered to the customer. However, the gang is willing to negotiate up to a 70-30 split for customers that are considered more “sophisticated”, researchers say.
The newest version of the ransomware, GrandCrab 5.2, released in February came right after a decryption tool for the previous version appeared for victims. In their latest campaigns, the Pinchy Spider gang is looking to increase their profits even more.
Security Researchers Reveal Information about GandCrab’s Operators
CrowdStrike researchers believe that the “development of the ransomware itself has been driven, in part, by PINCHY SPIDER’s interactions with the cybersecurity research community. GandCrab contains multiple references to members of the research community who are both publicly active on social media and have reported on the ransomware”.
In their most recent endeavors, Pinchy Spider criminals have been advertising GandCrab to individuals with remote desktop protocol (RDP) and VNC (Virtual Network Computing) skills, and spam operators who have experience in corporate networking.
The researchers also provided an example of such an advertisement which reads “Spammers, working with landing pages and corporate networking specialists — do not miss your ticket to a better life. We are waiting for you.”
The CrowdStrike Intelligence team first identified new GandCrab ransomware deployment tactics in mid-February. Apparently, a threat actor was detected while performing actions on a victimized host in an attempt to install GandCrab.
Though initially unsuccessful, the threat actor returned later to perform further reconnaissance on the victim network, the report says. On the next day the criminal’s attempts continued as he returned once again and manually removed security software from the host that was preventing the installation of GandCrab.
During the reconnaissance process, the criminal utilized system administration tools such as Sysinternals Process Monitor, Process Hacker, and a file search tool called LAN Search Pro which all helped him with the collection of information from the hosts.
In short, the change in deployment tactics observed in these recent incidents, along with Pinchy Spider’s advertising for individuals with skills in RDP/VNC and experience in corporate networking, point to the fact that the criminal gang and their affiliates are expanding to adopt big game hunting tactics, the researchers concluded.