Indrik Spider

Active

Also known as: Indrik Spider, Evil Corp, Manatee Tempest, DEV-0243, UNC2165

🌍

Other

Active Since

2021

MITRE ID

G0119

Techniques

[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)

MITRE ATT&CK Techniques

Recon1

T1590Gather Victim Network Information

Resource4

T1583Acquire Infrastructure

T1585.002Email Accounts

T1587.001Malware

T1584.004Server

Initial0

Exec5

T1059.007JavaScript

T1204.002Malicious File

T1059.001PowerShell

T1059.003Windows Command Shell

T1047Windows Management Instrumentation

Persist2

T1136Create Account

T1136.001Local Account

PrivEsc0

Defense7

T1070.001Clear Windows Event Logs

T1562.001Disable or Modify Tools

T1078.002Domain Accounts

T1484.001Group Policy Modification

T1036.005Match Legitimate Resource Name or Location

T1112Modify Registry

T1078Valid Accounts

Creds4

T1552.001Credentials In Files

T1558.003Kerberoasting

T1003.001LSASS Memory

T1555.005Password Managers

Discovery3

T1012Query Registry

T1018Remote System Discovery

T1007System Service Discovery

Lateral2

T1021.001Remote Desktop Protocol

T1021.004SSH

Collect1

T1074.001Local Data Staging

C21

T1105Ingress Tool Transfer

Exfil1

T1567.002Exfiltration to Cloud Storage

Impact2

T1486Data Encrypted for Impact

T1489Service Stop

Known Victims

live · just now

No victims recorded in ransomware.live for this group.