ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > Traveling Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Traveling Spider

NamesTraveling Spider (CrowdStrike)
Gold Mansard (SecureWorks)
Country[Unknown]
MotivationFinancial gain
First seen2019
Description(BleepingComputer) A new ransomware has been spotted over the weekend, carrying references to the Russian president and antivirus software. The researchers call it Nemty.

This is the first version of Nemty ransomware, named so after the extension it adds to the files following the encryption process.
ObservedCountries: Argentina, Algeria, Austria, Belgium, Bhutan, Bolivia, Brazil, Canada, Chile, China, Czech, Denmark, Ecuador, Egypt, Estonia, France, Germany, Ghana, Guatemala, Guinea, Hungary, India, Indonesia, Iran, Italy, Japan, Latvia, Libya, Lithuania, Luxembourg, Malaysia, Morocco, Nepal, Netherlands, Niger, Pakistan, Philippines, Poland, Portugal, Russia, Slovakia, South Africa, South Korea, Spain, Sweden, Thailand, Turkey, UAE, UK, Ukraine, USA, Venezuela, Vietnam.
Tools used7-Zip, AdFind, BloodHound, LaZagne, MEGAsync, Mimikatz, Nefilim, Nemty, Network Password Recovery, PsExec, smbtool.
Operations performedSep 2019Nemty Ransomware Update Lets It Kill Processes and Services
<https://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/>
Sep 2019Fake PayPal Site Spreads Nemty Ransomware
<https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/>
Sep 2019Nemty Ransomware Gets Distribution from RIG Exploit Kit
<https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/>
Oct 2019Nemty 1.6 Ransomware Released and Pushed via RIG Exploit Kit
<https://www.bleepingcomputer.com/news/security/nemty-16-ransomware-released-and-pushed-via-rig-exploit-kit/>
Nov 2019Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet
<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet>
Jan 2020Nemty Ransomware to Start Leaking Non-Paying Victim's Data
<https://www.bleepingcomputer.com/news/security/nemty-ransomware-to-start-leaking-non-paying-victims-data/>
Feb 2020Nemty Ransomware Actively Distributed via 'Love Letter' Spam
<https://www.bleepingcomputer.com/news/security/nemty-ransomware-actively-distributed-via-love-letter-spam/>
Mar 2020Nemty Ransomware Punishes Victims by Posting Their Stolen Data
<https://www.bleepingcomputer.com/news/security/nemty-ransomware-punishes-victims-by-posting-their-stolen-data/>
Mar 2020New Nefilim Ransomware Threatens to Release Victims' Data
<https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/>
Apr 2020Nemty ransomware operation shuts down public RaaS
<https://www.zdnet.com/article/nemty-ransomware-operation-shuts-down/>
May 2020Toll Group hit by ransomware a second time, deliveries affected
<https://www.bleepingcomputer.com/news/security/toll-group-hit-by-ransomware-a-second-time-deliveries-affected/>
May 2020Beyonce and Victoria's Secret lingerie maker targeted by extortionists
<https://news.sky.com/story/beyonce-and-victorias-secret-lingerie-maker-targeted-by-extortionists-11983025>
Jun 2020Nefilim Hackers Publish Oil Firm Data Online and Continue Disruptive Campaign
<https://techmonitor.ai/techonology/cybersecurity/nefilim-hackers-publish-oil-firm>
Jul 2020Orange confirms ransomware attack exposing business customers' data
<https://www.bleepingcomputer.com/news/security/orange-confirms-ransomware-attack-exposing-business-customers-data/>
Jul 2020Business giant Dussmann Group's data leaked after ransomware attack
<https://www.bleepingcomputer.com/news/security/business-giant-dussmann-groups-data-leaked-after-ransomware-attack/>
Nov 2020Luxottica data breach exposes 820K EyeMed, LensCrafters patients
<https://www.bleepingcomputer.com/news/security/luxottica-data-breach-exposes-820k-eyemed-lenscrafters-patients/>
Dec 2020Home appliance giant Whirlpool hit in Nefilim ransomware attack
<https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/>
Jan 2021Nefilim Ransomware Attack Uses “Ghost” Credentials
<https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/>
Mar 2021The Nefilim Ransomware Group Has Hit ‘Spirit Airlines’
<https://www.technadu.com/nefilim-ransomware-group-hit-spirit-airlines/252679/>
Information<https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/>

Last change to this card: 09 August 2021

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key