Home > List all groups > Traveling Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Traveling Spider

NamesTraveling Spider (CrowdStrike)
Gold Mansard (SecureWorks)
MotivationFinancial gain
First seen2019
Description(BleepingComputer) A new ransomware has been spotted over the weekend, carrying references to the Russian president and antivirus software. The researchers call it Nemty.

This is the first version of Nemty ransomware, named so after the extension it adds to the files following the encryption process.
ObservedCountries: Argentina, Algeria, Austria, Belgium, Bhutan, Bolivia, Brazil, Canada, Chile, China, Czech, Denmark, Ecuador, Egypt, Estonia, France, Germany, Ghana, Guatemala, Guinea, Hungary, India, Indonesia, Iran, Italy, Japan, Latvia, Libya, Lithuania, Luxembourg, Malaysia, Morocco, Nepal, Netherlands, Niger, Pakistan, Philippines, Poland, Portugal, Russia, Slovakia, South Africa, South Korea, Spain, Sweden, Thailand, Turkey, UAE, UK, Ukraine, USA, Venezuela, Vietnam.
Tools used7-Zip, AdFind, BloodHound, LaZagne, MEGAsync, Mimikatz, Nefilim, Nemty, Network Password Recovery, PsExec, smbtool.
Operations performedSep 2019Nemty Ransomware Update Lets It Kill Processes and Services
Sep 2019Fake PayPal Site Spreads Nemty Ransomware
Sep 2019Nemty Ransomware Gets Distribution from RIG Exploit Kit
Oct 2019Nemty 1.6 Ransomware Released and Pushed via RIG Exploit Kit
Nov 2019Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet
Jan 2020Nemty Ransomware to Start Leaking Non-Paying Victim's Data
Feb 2020Nemty Ransomware Actively Distributed via 'Love Letter' Spam
Mar 2020Nemty Ransomware Punishes Victims by Posting Their Stolen Data
Mar 2020New Nefilim Ransomware Threatens to Release Victims' Data
Apr 2020Nemty ransomware operation shuts down public RaaS
May 2020Toll Group hit by ransomware a second time, deliveries affected
May 2020Beyonce and Victoria's Secret lingerie maker targeted by extortionists
Jun 2020Nefilim Hackers Publish Oil Firm Data Online and Continue Disruptive Campaign
Jul 2020Orange confirms ransomware attack exposing business customers' data
Jul 2020Business giant Dussmann Group's data leaked after ransomware attack
Nov 2020Luxottica data breach exposes 820K EyeMed, LensCrafters patients
Dec 2020Home appliance giant Whirlpool hit in Nefilim ransomware attack
Jan 2021Nefilim Ransomware Attack Uses “Ghost” Credentials
Mar 2021The Nefilim Ransomware Group Has Hit ‘Spirit Airlines’

Last change to this card: 09 August 2021

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key