Home > List all groups > Sprite Spider, Gold Dupont

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Sprite Spider, Gold Dupont

NamesSprite Spider (CrowdStrike)
Gold Dupont (SecureWorks)
MotivationFinancial crime, Financial gain
First seen2015
Description(CrowdStrike) In 2020, CrowdStrike Intelligence observed both SPRITE SPIDER (the operators of Defray777) and Carbanak, Anunak (the operators of DarkSide) deploy Linux versions of their respective ransomware families on ESXi hosts during BGH operations. While ransomware for Linux has existed for many years, BGH actors have historically not targeted Linux, much less ESXi specifically. ESXi is a type of hypervisor that runs on dedicated hardware and manages multiple virtual machines (VMs). With more organizations migrating to virtualization solutions to consolidate legacy IT systems, this is a natural target for ransomware operators looking to increase the impact against a victim.

All identified incidents were enabled by the acquisition of valid credentials. In four separate Defray777 incidents, SPRITE SPIDER used administrator credentials to log in through the vCenter web interface. In one instance, SPRITE SPIDER likely used the PyXie remote access trojan (RAT) LaZagne module to harvest vCenter administrator credentials stored in a web browser.

By targeting these hosts, ransomware operators are able to quickly encrypt multiple systems with relatively few actual ransomware deployments. Encrypting one ESXi server inflicts the same amount of damage as individually deploying ransomware on each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operations. Additionally, due to their lack of conventional operating systems, ESXi hosts lack endpoint protection software that could prevent or detect ransomware attacks.
ObservedSectors: Education, Healthcare, Manufacturing, Technology.
Tools usedCobalt Strike, Defray777, LaZagne, Metasploit, PyXie, SharpHound, Shifu, SystemBC, Vatet.
Operations performedAug 2017New Defray Ransomware Targets Education and Healthcare Verticals
May 2020Texas Courts hit by ransomware, network disabled to limit spread
Jun 2020New Ransom X Ransomware used in Texas TxDOT cyberattack
Aug 2020Business technology giant Konica Minolta hit by new ransomware
Sep 2020SoftServe hit by ransomware, Windows customization tool exploited
Sep 2020Leading U.S. laser developer IPG Photonics hit with ransomware
Sep 2020Government software provider Tyler Technologies hit by ransomware
Oct 2020Montreal's STM public transport system hit by ransomware attack
Nov 2020Brazil's court system under massive RansomExx ransomware attack
Nov 2020RansomExx ransomware also encrypts Linux systems
Dec 2020Hackers leak data from Embraer, world's third-largest airplane maker
Feb 2021French MNH health insurance company hit by RansomExx ransomware
Feb 2021Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
Jul 2021Ecuador's state-run CNT telco hit by RansomEXX ransomware
Aug 2021RansomEXX ransomware leaks files stolen from Italian luxury brand Zegna
Aug 2021Computer hardware giant GIGABYTE hit by RansomEXX ransomware

Last change to this card: 09 August 2021

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key