Indrik Spider

Threat Actor updated 6 months ago (2024-11-29T14:13:06.285Z)

Download STIX

Preview STIX

Indrik Spider is a notable threat actor known for its cybercriminal activities, particularly in the realm of ransomware. In July 2017, the group entered the targeted ransomware sphere with BitPaymer, using file-sharing platforms to distribute the BitPaymer decryptor. This shift in operations saw Indrik Spider utilize BitPaymer ransomware as a principal tool, netting approximately $1.5M USD within the first 15 months of their ransomware operations. Alongside this, the group operated Dridex malware, containing modules that could collect information from infected hosts, despite the ransomware itself not having this functionality. Indrik Spider's adaptability and resilience have been evident in their continuous advancements in campaigns, the implementation of new tools, and the adoption of third-party products and services. Despite sanctions and indictments against the group and its members, Indrik Spider has shown significant resources and operational resilience, continuing to diversify its strategies. The group's shift towards selective targeting of organizations for high ransomware payouts marked a new focus on targeted, low-volume, high-return criminal activity, referred to as big game hunting. In a further evolution of tactics, Indrik Spider moved away from using email communication and the possibility of exfiltrating data from victims to elicit payments. CrowdStrike Intelligence identified Hades ransomware as Indrik Spider’s successor to WastedLocker based on significant code overlap. However, Hades underwent minor modifications, removing features characteristic of Indrik Spider’s previous ransomware families — WastedLocker and BitPaymer. Falcon Intelligence predicts that Indrik Spider will continue to operate both Dridex and BitPaymer, with the two monetization strategies complementing each other.

Description last updated: 2024-05-04T18:01:03.035Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Cybercrime

Crowdstrike

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The BitPaymer Malware is associated with Indrik Spider. BitPaymer is a type of malware, specifically ransomware, that was operated by the cybercriminal group known as GOLD DRAKE. It is designed to infiltrate systems and encrypt data, holding it hostage until a ransom is paid. This malicious software became prominent in conjunction with the rise of Ransom	Unspecified	2
The WastedLocker Malware is associated with Indrik Spider. WastedLocker is a sophisticated malware developed by the Evil Corp Group, a notorious cybercriminal organization. This malware is a form of ransomware that targets both Windows and Android devices, encrypting users' data and demanding a ransom for its release. Originating in 2020, WastedLocker utili	Unspecified	2
The Dridex Malware is associated with Indrik Spider. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group ta	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Evil Corp Threat Actor is associated with Indrik Spider. Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybe	Unspecified	2

Source Document References

Information about the Indrik Spider Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
SANS ISC	8 days ago	Alternate Data Streams ? Adversary Defense Evasion and Detection [Guest Diary] - SANS Internet Storm Center
CrowdStrike	4 months ago	Detect Data Exfiltration with Falcon Next-Gen SIEM \| CrowdStrike
CrowdStrike	4 months ago	CrowdStrike Falcon Earns Perfect Score in SE Labs’ Ransomware Evaluation
MITRE	2 years ago	Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware
MITRE	2 years ago	INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware
CERT-EU	2 years ago	DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU	2 years ago	DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU	2 years ago	Russian cybercriminals spread new Lobshot banking trojan via Google ads
CERT-EU	2 years ago	LOBSHOT: a Covert, Info-Stealing Malware on the Loose