ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > Viking Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Viking Spider

NamesViking Spider (CrowdStrike)
Country[Unknown]
MotivationFinancial gain
First seen2019
Description(Analyst1) Viking Spider first began ransom operations in December 2019, and they use ransomware known as Ragnar Locker to compromise and extort organizations. Below are key findings identified while researching Viking Spider activity.

• Viking Spider is the first ransomware attacker to install their own virtual machine (VM) into victim environments. They use this VM to evade detection, and they also use it as a launch point to execute the attack.

• The gang is the first to use Facebook ads to pressure victims into paying the ransom.

• Viking Spider outsources call centers in India to contact victims asking them to pay the ransom or risk data exposure.

• Viking Spider uses Managed Service Provider (MSP) software to deliver malware and hacktools as well as provide remote access into victim environments.

• Viking Spider is one of the few gangs who conduct DDoS attacks alongside ransom attacks to pressure victims to pay. Another Cartel gang first used this tactic, but Viking Spider quickly adopted it for their uses as well.

• Viking Spider uses social media such as Twitter to shame non-paying victims publicly.
ObservedSectors: Automotive, Construction, Energy, Hospitality, IT, Law enforcement, Media, Telecommunications.
Countries: Italy, Japan, Portugal, USA.
Tools usedRagnarLocker.
Operations performedApr 2020RagnarLocker ransomware hits EDP energy giant, asks for €10M
<https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/>
May 2020Ransomware deploys virtual machines to hide itself from antivirus software
<https://www.zdnet.com/article/ransomware-deploys-virtual-machines-to-hide-itself-from-antivirus-software/>
Jul 2020Ragnar Locker Targets CWT in Ransomware Attack
<https://cybelangel.com/blog/ragnar-locker-targets-cwt/>
Nov 2020Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen
<https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/>
Nov 2020Ransomware Group Turns to Facebook Ads
<https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/>
Nov 2020Campari hit by Ragnar Locker Ransomware, $15 million demanded
<https://www.bleepingcomputer.com/news/security/campari-hit-by-ragnar-locker-ransomware-15-million-demanded/>
Jan 2021Ragnar Locker Ransomware Attack Impacts Employee Records at Dassault Falcon Jet
<https://chaslescorp.com/ragnar-locker-ransomware-attack-impacts-employee-records-at-dassault-falcon-jet/>
Jun 2021Computer memory maker ADATA hit by Ragnar Locker ransomware
<https://www.bleepingcomputer.com/news/security/computer-memory-maker-adata-hit-by-ragnar-locker-ransomware/>
Information<https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf>
<https://cybernews.com/security/how-we-applied-to-work-with-ransomware-gang/>

Last change to this card: 15 June 2021

Download this actor card in PDF or JSON format

Previous: Vicious Panda
Next: Volatile Cedar

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key