Indrik Spider

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

Indrik Spider is a notable threat actor known for its cybercriminal activities, particularly in the realm of ransomware. In July 2017, the group entered the targeted ransomware sphere with BitPaymer, using file-sharing platforms to distribute the BitPaymer decryptor. This shift in operations saw Indrik Spider utilize BitPaymer ransomware as a principal tool, netting approximately $1.5M USD within the first 15 months of their ransomware operations. Alongside this, the group operated Dridex malware, containing modules that could collect information from infected hosts, despite the ransomware itself not having this functionality. Indrik Spider's adaptability and resilience have been evident in their continuous advancements in campaigns, the implementation of new tools, and the adoption of third-party products and services. Despite sanctions and indictments against the group and its members, Indrik Spider has shown significant resources and operational resilience, continuing to diversify its strategies. The group's shift towards selective targeting of organizations for high ransomware payouts marked a new focus on targeted, low-volume, high-return criminal activity, referred to as big game hunting. In a further evolution of tactics, Indrik Spider moved away from using email communication and the possibility of exfiltrating data from victims to elicit payments. CrowdStrike Intelligence identified Hades ransomware as Indrik Spider’s successor to WastedLocker based on significant code overlap. However, Hades underwent minor modifications, removing features characteristic of Indrik Spider’s previous ransomware families — WastedLocker and BitPaymer. Falcon Intelligence predicts that Indrik Spider will continue to operate both Dridex and BitPaymer, with the two monetization strategies complementing each other.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Gozi Isfb	1	Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims.

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Cybercrime

Ransomware

Fraud

Malware

Ransom

Crowdstrike

Bitcoin

Cobalt Strike

Trojan

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Dridex	Unspecified	2	Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
BitPaymer	Unspecified	1	BitPaymer is a type of malware that operates as ransomware, encrypting files and demanding payment for their release. It was operated by the GOLD DRAKE threat group and was later reworked and renamed DoppelPaymer by the GOLD HERON threat group. As part of the Ransomware as a Service (RaaS) model tha
WastedLocker	Unspecified	1	WastedLocker is a type of malware developed by the Evil Corp Group, known for its malicious activities. This malware variant was first identified in 2020 and is part of an evolution of ransomware that began with Dridex, followed by DoppelPaymer developed in 2019, and then WastedLocker. The malware i
Gozi	Unspecified	1	Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
Hades Ransomware	Unspecified	1	Hades ransomware is a variant of the WastedLocker malware, which is designed to exploit and damage computers or devices. It was observed by CTU researchers being used in conjunction with Advanced Port Scanner, MegaSync, and Malleable C2 tools in various cyberattack incidents. These tools have been l

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Evil Corp	Unspecified	2	Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctio
TA505	Unspecified	1	TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
Hades	Unspecified	1	Hades is a notable threat actor, known for its distinctive tactics and infrastructure in executing cyber attacks. The cybersecurity industry first observed Hades' operations in June 2021, with its activities marked by the use of advanced tools such as Advanced Port Scanner, MegaSync, Rclone, and Mal
Grim Spider	Unspecified	1	GRIM SPIDER is a malicious threat actor, along with INDRIK SPIDER and BOSS SPIDER, that has been continuously operating in the cybersecurity landscape. These entities are responsible for executing actions with harmful intent, which could range from data breaches to deploying ransomware. The cybersec
fin11	Unspecified	1	FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after ste

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Indrik Spider Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware
MITRE	a year ago	INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware
CERT-EU	a year ago	DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU	a year ago	DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU	a year ago	Russian cybercriminals spread new Lobshot banking trojan via Google ads
CERT-EU	a year ago	LOBSHOT: a Covert, Info-Stealing Malware on the Loose