Indrik Spider

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
Indrik Spider is a notable threat actor known for its cybercriminal activities, particularly in the realm of ransomware. In July 2017, the group entered the targeted ransomware sphere with BitPaymer, using file-sharing platforms to distribute the BitPaymer decryptor. This shift in operations saw Indrik Spider utilize BitPaymer ransomware as a principal tool, netting approximately $1.5M USD within the first 15 months of their ransomware operations. Alongside this, the group operated Dridex malware, containing modules that could collect information from infected hosts, despite the ransomware itself not having this functionality. Indrik Spider's adaptability and resilience have been evident in their continuous advancements in campaigns, the implementation of new tools, and the adoption of third-party products and services. Despite sanctions and indictments against the group and its members, Indrik Spider has shown significant resources and operational resilience, continuing to diversify its strategies. The group's shift towards selective targeting of organizations for high ransomware payouts marked a new focus on targeted, low-volume, high-return criminal activity, referred to as big game hunting. In a further evolution of tactics, Indrik Spider moved away from using email communication and the possibility of exfiltrating data from victims to elicit payments. CrowdStrike Intelligence identified Hades ransomware as Indrik Spider’s successor to WastedLocker based on significant code overlap. However, Hades underwent minor modifications, removing features characteristic of Indrik Spider’s previous ransomware families — WastedLocker and BitPaymer. Falcon Intelligence predicts that Indrik Spider will continue to operate both Dridex and BitPaymer, with the two monetization strategies complementing each other.
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cybercrime
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DridexUnspecified
2
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Evil CorpUnspecified
2
Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctio
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Indrik Spider Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
LOBSHOT: a Covert, Info-Stealing Malware on the Loose
MITRE
a year ago
Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware
CERT-EU
a year ago
DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU
a year ago
DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU
a year ago
Russian cybercriminals spread new Lobshot banking trojan via Google ads
MITRE
a year ago
INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware