G0119 · 33 ATT&CK techniques · 0 correlated reports

Indrik Spider

Aliases: Evil Corp, Manatee Tempest, DEV-0243, UNC2165

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.

Open interactive actor investigation

ATT&CK techniques

T1003.001
LSASS Memory T1587.001
Malware T1136
Create Account T1112
Modify Registry T1036.005
Match Legitimate Name or Location T1007
System Service Discovery T1583
Acquire Infrastructure T1070.001
Clear Windows Event Logs T1562.001
Disable or Modify Tools T1074.001
Local Data Staging T1021.001
Remote Desktop Protocol T1555.005
Password Managers T1590
Gather Victim Network Information T1059.001
PowerShell T1078.002
Domain Accounts T1552.001
Credentials In Files T1567.002
Exfiltration to Cloud Storage T1059.003
Windows Command Shell T1484.001
Group Policy Modification T1047
Windows Management Instrumentation T1078
Valid Accounts T1486
Data Encrypted for Impact T1136.001
Local Account T1018
Remote System Discovery T1059.007
JavaScript T1585.002
Email Accounts T1105
Ingress Tool Transfer T1489
Service Stop T1012
Query Registry T1558.003
Kerberoasting T1204.002
Malicious File T1021.004
SSH T1584.004
Server

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research