Indrik Spider

Also known as: DEV-0243, Evil Corp, Indrik Spider, Manatee Tempest, UNC2165, INDRIK SPIDER, EvilCorp, GOLD DRAKE

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset. Crowdstrike Indrik November 2018 Crowdstrike EvilCorp March 2021 Treasury EvilCorp Dec 2019

🌍 Country Russia
🧭 ATT&CK G0119

Introduction

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset. Crowdstrike Indrik November 2018 Crowdstrike EvilCorp March 2021 Treasury EvilCorp Dec 2019

Activities and Tactics

Country of Origin: 🇷🇺 Russia

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Trojan.Karagany:
  • Trojan.Mebromi:
  • CyberGate:
  • Cyber Eye RAT:

Attribution and Evidence

Country of Origin: Russia Additional attribution information pending cataloguing.

References

[1] MITRE ATT&CK MITRE ATT&CK entry [2] Crowdstrike Indrik November 2018 [3] Crowdstrike EvilCorp March 2021 [4] Treasury EvilCorp Dec 2019