NEW: Group Profiler — instant APT intel lookup. Try it →

← threatfilter.dev / all groups / Indrik Spider

Indrik Spider

G0119 Russia MITRE ATT&CK →

Also known as: Evil Corp · Manatee Tempest · DEV-0243 · UNC2165

Overview

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.

Capabilities

Custom malware/implant development — ATT&CK: 4 attributed custom malware families

TTPs — 33 techniques across 13 tactics

Reconnaissance

T1590 Gather Victim Network Information

Resource Development

T1583 Acquire Infrastructure
T1584.004 Server
T1585.002 Email Accounts
T1587.001 Malware

Execution

T1047 Windows Management Instrumentation
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1059.007 JavaScript
T1204.002 Malicious File

Persistence

T1136 Create Account
T1136.001 Local Account

Stealth

T1036.005 Match Legitimate Resource Name or Location
T1078 Valid Accounts
T1078.002 Domain Accounts

Defense Impairment

Credential Access

T1003.001 LSASS Memory
T1552.001 Credentials In Files
T1555.005 Password Managers
T1558.003 Kerberoasting

Discovery

Lateral Movement

T1021.001 Remote Desktop Protocol
T1021.004 SSH

Collection

T1074.001 Local Data Staging

Command and Control

T1105 Ingress Tool Transfer

Exfiltration

T1567.002 Exfiltration to Cloud Storage

Impact

T1486 Data Encrypted for Impact
T1489 Service Stop

Tools & malware (8)

Donut · Mimikatz · Empire · PsExec · Dridex · WastedLocker · BitPaymer · Cobalt Strike

Reporting (3)

How Microsoft names threat actors — Microsoft
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions — Mandiant Intelligence
INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions — Podlosky, A., Feeley, B