Pinchy Spider and its affiliated cybergangs are reacting to attempts to decrypt and defend against their flagship malware GandCrab by altering how the ransomware is deployed and recruiting new members to broaden the gang’s cyberskills.

New studies by Crowdstrike and SophosLabs show Pinchy Spider is turning toward a “Big Game Hunting” deployment model where the attackers pick out a lucrative target and spend time and energy penetrating the system to maximize their return, Crowdstrike reported. This is in addition to its regular RaaS business that has exploded during the last year, said Sophos.

Brendon Feeley, Bex Hartley and Sergei Frankoff of Crowdstrike’s Research & Threat Intel team detailed how Pinchy Spider has taken some extraordinary steps to improve the gang’s technical prowess in order to take on more difficult targets. Some of these moves, like recruiting for experts with Remote Desktop Protocol, corporate spamming and virtual network computing skills on dark web forums which could be tells for their new ventures which require these skills. This is in addition to continuously improving the malware with version 5.2 having been recently released.

These skills are needed for big game hunting where instead of just encrypting an endpoint or system they gain entry and persistence and then begin moving laterally. This was first observed in February when an intruder using stolen credentials and RDP made three entries into a victim — being rebuffed once, then returning to conduct additional recon work, and finally looping back a third time to remove the security software that had been blocking GandCrab.

A second incident took place a few weeks later.

“This incident began with a compromise that resulted in the threat actor gaining control of the enterprise domain controller. Once Domain Controller access was acquired, the threat actor used the enterprise’s own IT systems management software, LANDesk, to deploy a loader (Phorpiex) to hosts across the enterprise,” Crowdstrike said.

Phorpiex gained access for the gang to all removable drives on the system and then installed GandCrab.

While big game hunting is not new, Pinchy Spider has put its own spin on the tactic. Instead of demanding a single payment to release all the encrypted files in an enterprise, now individual hosts are being encrypted and a payment is being demanded to unlock each host.

On the more “conventional” side of GandCrab, Sophos Labs noted the large number of third parties using the ransomware through its RaaS model, and how it continues to grow its client list through advertising campaigns.