TIARAS - Indrik Spider

Threat Actor Profile

High APT

Description

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)

Confidence Score

90%

Known Aliases

Indrik Spider Evil Corp Manatee Tempest DEV-0243 UNC2165

First Seen

Unknown

Last Updated

Unknown

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (33)

T1074.001 - Local Data Staging

Collection

T1105 - Ingress Tool Transfer

Command and Control

T1003.001 - LSASS Memory

Credential Access

T1552.001 - Credentials In Files

Credential Access

T1555.005 - Password Managers

Credential Access

T1558.003 - Kerberoasting

Credential Access

T1036.005 - Match Legitimate Resource Name or Locat…

Defense Evasion

T1070.001 - Clear Windows Event Logs

Defense Evasion

T1078 - Valid Accounts

Defense Evasion

T1078.002 - Domain Accounts

Defense Evasion

T1112 - Modify Registry

Defense Evasion

T1484.001 - Group Policy Modification

Defense Evasion

T1562.001 - Disable or Modify Tools

Defense Evasion

T1007 - System Service Discovery

Discovery

T1012 - Query Registry

Discovery

T1018 - Remote System Discovery

Discovery

T1047 - Windows Management Instrumentation

Execution

T1059.001 - PowerShell

Execution

T1059.003 - Windows Command Shell

Execution

T1059.007 - JavaScript

Execution

T1204.002 - Malicious File

Execution

T1567.002 - Exfiltration to Cloud Storage

Exfiltration

T1486 - Data Encrypted for Impact

Impact

T1489 - Service Stop

Impact

T1021.001 - Remote Desktop Protocol

Lateral Movement

T1021.004 - SSH

Lateral Movement

T1136 - Create Account

Persistence

T1136.001 - Local Account

Persistence

T1590 - Gather Victim Network Information

Reconnaissance

T1583 - Acquire Infrastructure

Resource Development

T1584.004 - Server

Resource Development

T1585.002 - Email Accounts

Resource Development

T1587.001 - Malware

Resource Development

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': ['Indrik Spider',
             'Evil Corp',
             'Manatee Tempest',
             'DEV-0243',
             'UNC2165'],
 'created': '2021-01-06T17:46:35.134Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Indrik Spider](https://attack.mitre.org/groups/G0119) is a '
                'Russia-based cybercriminal group that has been active since '
                'at least 2014. [Indrik '
                'Spider](https://attack.mitre.org/groups/G0119) initially '
                'started with the '
                '[Dridex](https://attack.mitre.org/software/S0384) banking '
                'Trojan, and then by 2017 they began running ransomware '
                'operations using '
                '[BitPaymer](https://attack.mitre.org/software/S0570), '
                '[WastedLocker](https://attack.mitre.org/software/S0612), and '
                'Hades ransomware. Following U.S. sanctions and an indictment '
                'in 2019, [Indrik '
                'Spider](https://attack.mitre.org/groups/G0119) changed their '
                'tactics and diversified their toolset.(Citation: Crowdstrike '
                'Indrik November 2018)(Citation: Crowdstrike EvilCorp March '
                '2021)(Citation: Treasury EvilCorp Dec 2019)',
 'external_references': [{'external_id': 'G0119',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0119'},
                         {'description': '(Citation: Crowdstrike EvilCorp '
                                         'March 2021)(Citation: Treasury '
                                         'EvilCorp Dec 2019)',
                          'source_name': 'Evil Corp'},
                         {'description': '(Citation: Mandiant_UNC2165)',
                          'source_name': 'UNC2165'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Manatee Tempest'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'DEV-0243'},
                         {'description': 'Frankoff, S., Hartley, B. (2018, '
                                         'November 14). Big Game Hunting: The '
                                         'Evolution of INDRIK SPIDER From '
                                         'Dridex Wire Fraud to BitPaymer '
                                         'Targeted Ransomware. Retrieved '
                                         'January 6, 2021.',
                          'source_name': 'Crowdstrike Indrik November 2018',
                          'url': 'https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/'},
                         {'description': 'Mandiant Intelligence. (2022, June '
                                         '2). To HADES and Back: UNC2165 '
                                         'Shifts to LOCKBIT to Evade '
                                         'Sanctions. Retrieved July 29, 2024.',
                          'source_name': 'Mandiant_UNC2165',
                          'url': 'https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions/'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Podlosky, A., Feeley, B. (2021, '
                                         'March 17). INDRIK SPIDER Supersedes '
                                         'WastedLocker with Hades Ransomware '
                                         'to Circumvent OFAC Sanctions. '
                                         'Retrieved September 15, 2021.',
                          'source_name': 'Crowdstrike EvilCorp March 2021',
                          'url': 'https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/'},
                         {'description': 'U.S. Department of Treasury. (2019, '
                                         'December 5). Treasury Sanctions Evil '
                                         'Corp, the Russia-Based Cybercriminal '
                                         'Group Behind Dridex Malware. '
                                         'Retrieved September 15, 2021.',
                          'source_name': 'Treasury EvilCorp Dec 2019',
                          'url': 'https://home.treasury.gov/news/press-releases/sm845'}],
 'id': 'intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07',
 'modified': '2024-10-28T19:11:56.485Z',
 'name': 'Indrik Spider',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Jennifer Kim Roman, CrowdStrike',
                          'Liran Ravich, CardinalOps'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '4.1'}

Quick Actions

Related TTPs (33)

Local Data Staging
Collection

Ingress Tool Transfer
Command and Control

LSASS Memory
Credential Access

Credentials In Files
Credential Access

Password Managers
Credential Access

View All 33 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Known Aliases

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (33)

T1074.001 - Local Data Staging

T1105 - Ingress Tool Transfer

T1003.001 - LSASS Memory

T1552.001 - Credentials In Files

T1555.005 - Password Managers

T1558.003 - Kerberoasting

T1036.005 - Match Legitimate Resource Name or Locat…

T1070.001 - Clear Windows Event Logs

T1078 - Valid Accounts

T1078.002 - Domain Accounts

T1112 - Modify Registry

T1484.001 - Group Policy Modification

T1562.001 - Disable or Modify Tools

T1007 - System Service Discovery

T1012 - Query Registry

T1018 - Remote System Discovery

T1047 - Windows Management Instrumentation

T1059.001 - PowerShell

T1059.003 - Windows Command Shell

T1059.007 - JavaScript

T1204.002 - Malicious File

T1567.002 - Exfiltration to Cloud Storage

T1486 - Data Encrypted for Impact

T1489 - Service Stop

T1021.001 - Remote Desktop Protocol

T1021.004 - SSH

T1136 - Create Account

T1136.001 - Local Account

T1590 - Gather Victim Network Information

T1583 - Acquire Infrastructure

T1584.004 - Server

T1585.002 - Email Accounts

T1587.001 - Malware

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (33)

Please wait…