ETDA ThaiCERT
Report
Search
Home > List all groups > Indrik Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Indrik Spider

NamesIndrik Spider (CrowdStrike)
Evil Corp (self given)
CountryRussia Russia
MotivationFinancial crime, Financial gain
First seen2014
Description(CrowdStrike) Indrik Spider is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking rojans on the market and, since 2014, those efforts are thought to have netted Indrik Spider millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware.

In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by Indrik Spider, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.

Indrik Spider appears to be a subgroup of TA505, Graceful Spider, Gold Evergreen. In 2019, a subgroup of Indrik Spider split off into Doppel Spider.

Dridex has been observed to be distributed via Necurs (operated by Monty Spider) and Emotet (operated by Mummy Spider, TA542).
ObservedSectors: Financial, Government, Healthcare.
Countries: Worldwide.
Tools usedBitPaymer, Cobalt Strike, Cridex, Dridex, EmpireProject, Mimikatz, PowerSploit, PsExec, WastedLocker.
Operations performedAug 2017Several hospitals part of the NHS Lanarkshire board were hit on Friday by a version of the Bit Paymer ransomware.
The NHS Lanarkshire board includes hospitals such as Hairmyres Hospital in East Kilbride, Monklands Hospital in Airdrie and Wishaw General Hospital.
<https://www.bleepingcomputer.com/news/security/bit-paymer-ransomware-hits-scottish-hospitals/>
Jul 2018BitPaymer Ransomware Paralyzes IT Systems of the Alaskan Town
<https://socprime.com/en/news/bitpaymer-ransomware-paralyzes-it-systems-of-the-alaskan-town/>
Jan 2019Arizona Beverages knocked offline by ransomware attack
<https://techcrunch.com/2019/04/02/arizona-beverages-ransomware/>
May 2019BitPaymer Ransomware Leveraging New Custom Packer Framework Against Targets Across the U.S.
<https://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework>
Aug 2019Apple Zero-Day Exploited in New BitPaymer Campaign
<https://blog.morphisec.com/apple-zero-day-exploited-in-bitpaymer-campaign>
Oct 2019Pilz, one of the world's largest producers of automation tools, has been down for more than a week after suffering a ransomware infection.
<https://www.zdnet.com/article/major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware/>
Nov 2019Everis, an NTT DATA company and one of Spain's largest managed service providers (MSP), had its computer systems encrypted today in a ransomware attack, just as it happened to Spain's largest radio station Cadena SER (Sociedad Española de Radiodifusión).
<https://www.bleepingcomputer.com/news/security/ransomware-attacks-hit-everis-and-spains-largest-radio-network/>
May 2020WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
<https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/>
Jul 2020Garmin services and production go down after ransomware attack
<https://www.zdnet.com/article/garmin-services-and-production-go-down-after-ransomware-attack/>
Counter operationsOct 2015In the fall of 2015, the Dell SecureWorks Counter Threat Unit (CTU) research team collaborated with the UK National Crime Agency (NCA), the U.S. Federal Bureau of Investigation (FBI), and the Shadowserver Foundation to take over the Dridex banking trojan.
<https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation>
Dec 2019Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses Resulting in Tens of Millions in Losses and Second Russian National Charged with Involvement in Deployment of “Bugat” Malware
<https://www.justice.gov/opa/pr/russian-national-charged-decade-long-series-hacking-and-bank-fraud-offenses-resulting-tens>
Dec 2019Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware
<https://home.treasury.gov/news/press-releases/sm845>
Information<https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/>
<https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/>
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spanish-mssp-targeted-by-bitpaymer-ransomware/>
<https://www.us-cert.gov/ncas/alerts/aa19-339a>

Last change to this card: 30 July 2020

Download this actor card in PDF or JSON format

Previous: Hacking Team
Next: Infraud Organization

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key