ATK168

ATK168 (aka: PINCHY SPIDER by Crowdstrike - SODINOKIBI / REVIL RANSOMWARE GANG - GOLD SOUTHFIELD by Mitre Att&ck)

 

The group behind the GandCrab ransomware was selling access for use in a program partnership with a limited number of accounts. In May 2019, the group announced their retirement, which coincided with the first appearance of Revil / Sodinokibi in April of the same year.

 

Revil is a Ransomware as a service  (RaaS). In 2020, it is the ransomware most often involved in attacks. These not only consist of encrypting the data that the victim can only recover for a ransom, but in addition, the cybercriminals blackmail the distribution of this data.

 

The main infection vector is a phishing email that invites you to download a compressed file, but other techniques have been used (such as in June 2021 a software vulnerability of the company Kaseya). Several elements indicate a Russian origin of this malware: the program is instructed to suspend its activity if it detects that the system language is Russian, and it is for sale on Russian-speaking forums.

 

On 13 July 2021, REvil websites and other infrastructure vanished from the internet.

 

This group has been the source of tensions between the newly elected US President Joe Biden and Vladimir Putin, following the numerous attacks suffered by the US from Russia. Following the closure of the group's infrastructure, senior officials do not rule out the possibility that the Russian government put pressure on the group.

 

References :

PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware

https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Pinchy%20Spider%2C%20Gold%20Southfield&n=1

https://attack.mitre.org/software/S0496/

https://go.crowdstrike.com/rs/281-OBQ-266/image/Report2020CrowdStrikeGlobalThreatReport.pdf