{
	"id": "31fa19c8-d1ee-4529-b3f9-4015bbc615b8",
	"created_at": "2026-04-06T00:18:16.239491Z",
	"updated_at": "2026-04-10T03:33:15.499265Z",
	"deleted_at": null,
	"sha1_hash": "18c049520f8211bb477bbaf0b98ed6e129f2e07a",
	"title": "INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 420960,
	"plain_text": "INDRIK SPIDER: WastedLocker Superseded by Hades\r\nRansomware\r\nBy Adam Podlosky - Brendon Feeley\r\nArchived: 2026-04-05 18:42:23 UTC\r\nIntroduction\r\nIn December 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) took action against\r\nthe Russia-based cybercriminal group INDRIK SPIDER, also known as Evil Corp, a sophisticated eCrime (ECX\r\n357.19) adversary notorious for conducting numerous schemes against a variety of targets beginning in 2014. This\r\nadversary is best known for their Dridex banking trojan, which was prolific from June 2014 through early 2020,\r\nand their Bitpaymer crypter used in big game hunting (BGH) attacks beginning in 2017. The OFAC action\r\nconsisted of sanctions that prohibit the facilitation of significant payments to the organization, such as those\r\ninvolved in BGH ransom payments. In addition to OFAC’s action against INDRIK SPIDER, the U.S. Department\r\nof Justice (DOJ) charged two key members of the group — Maksim Yakubets and Igor Turashev — with criminal\r\ninfringements, and the U.S. Department of State announced a reward of up to $5 million USD for any information\r\nleading to the capture or conviction of INDRIK SPIDER’s leader. Following the OFAC sanctions and the\r\nunsealing of the indictment, INDRIK SPIDER went through significant periods of downtime and continued to\r\ndevelop their MO, TTPs and tradecraft in an attempt to evade the sanctions placed upon them — the latest\r\nevolution is Hades, which first reared its head after the OFAC action was announced.\r\nINDRIK SPIDER’s Reaction\r\nSubsequent to the announcement of the sanctions against the group, INDRIK SPIDER disappeared for a short\r\nwhile until reappearing in January 2020, when BitPaymer was once again observed being used in a BGH\r\noperation against a victim conglomerate spanning multiple verticals. This BitPaymer operation was one of the first\r\nidentified examples of INDRIK SPIDER using a variant of Gozi ISFB as a part of their toolset instead of their\r\nDridex banking trojan. Following a short hiatus from March to May 2020, INDRIK SPIDER significantly\r\nincreased their efforts to move away from their existing tools and introduced WastedLocker — the successor to\r\ntheir BitPaymer ransomware. Approximately six months after the OFAC sanctions and the unsealing of the\r\nindictment against Yakubets and Turashev, WastedLocker was used in the first BGH campaign, marking a new era\r\nfor INDRIK SPIDER, as they also began using a variant of Gozi ISFB in their operations. This further operational\r\nshift was highly likely an attempt to distance themselves from their infamous Dridex and BitPaymer tools. In June\r\n2020, the trend of moving away from their typical infection chain continued, and INDRIK SPIDER began using\r\nfake browser updates to deliver the Cobalt Strike red-teaming tool. INDRIK SPIDER extensively used Cobalt\r\nStrike to establish an initial foothold and move laterally within the victim network. Once control over the\r\nenterprise environment was established, WastedLocker would subsequently be executed in their BGH campaigns.\r\nINDRIK SPIDER continued with their usual operational tempo, infecting organizations across more than a dozen\r\nsectors — predominantly in the U.S. — until late 2020.\r\nhttps://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/\r\nPage 1 of 4\n\nWastedLocker to Hades Evolution\r\nBased on significant code overlap, CrowdStrike Intelligence has identified Hades ransomware as INDRIK\r\nSPIDER’s successor to WastedLocker. Hades ransomware — first publicly identified by security researchers in\r\nDecember 2020 — was named for a Tor hidden website that victims are instructed to visit; however, Hades is\r\nmerely a 64-bit compiled variant of WastedLocker with additional code obfuscation and minor feature changes.\r\nThe WastedLocker-derived Hades ransomware is unrelated to a similarly named ransomware family, Hades\r\nLocker, identified by security firms in 2016. Hades ransomware shares the majority of its functionality with\r\nWastedLocker; the ISFB-inspired static configuration, multi-staged persistence/installation process, file/directory\r\nenumeration and encryption functionality are largely unchanged. Hades did receive minor modifications, and the\r\nremoved features included those that were uniquely characteristic of INDRIK SPIDER’s previous ransomware\r\nfamilies — WastedLocker and BitPaymer. At the time of this publication, CrowdStrike has identified the\r\nfollowing changes INDRIK SPIDER made to the WastedLocker-derived Hades ransomware variant:\r\nHades is now a 64-bit compiled executable with additional code-obfuscation, likely to disguise the minimal\r\nchanges, evade existing signature-based detections and hinder reverse engineering efforts.\r\nThe majority of standard file and registry Windows API calls were replaced with their system call\r\ncounterparts (i.e., the user-mode Native APIs exported from NTDLL).\r\nHades employs a different User Account Control (UAC) bypass than WastedLocker; however, both\r\nimplementations are taken directly from the open-source UACME project\r\n(https\u003c:\u003e//github\u003c.\u003ecom/hfiref0x/UACME).\r\nHades writes a single ransom note named HOW-TO-DECRYPT-.txt to traversed directories, as opposed to\r\nWastedLocker’s and BitPaymer’s approach of creating a note for each encrypted file.\r\nHades ransomware now stores the key information in each encrypted file rather than the ransom note. Both\r\nWastedLocker and BitPaymer stored the encoded and encrypted key information in the file-specific ransom\r\nnotes.\r\nWhile Hades still copies itself to a generated subdirectory in Application Data , it no longer uses the\r\n:bin Alternate Data Stream (ADS). The use of the :bin ADS path was characteristic of both\r\nWastedLocker and BitPaymer.\r\nINDRIK SPIDER’s move to this ransomware variant also came with another shift in tactics: the departure from\r\nusing email communication and the possibility of exfiltrating data from victims to elicit payments. The Hades\r\nransom note (shown in Figure 1) directs victims to a Tor hidden site. The identified ransom notes do not identify\r\nthe victim company, as was often observed with WastedLocker and BitPaymer.\r\nhttps://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/\r\nPage 2 of 4\n\nFigure 1. Hades ransomware (WastedLocker variant) ransom note\r\nThe Tor website (shown in Figure 2) is unique for each victim and states that data has been exfiltrated from their\r\nnetwork. The only provided means of contact is a Tox-identifier for communication with the Tox peer-to-peer\r\ninstant messenger (https\u003c:\u003e//tox\u003c.\u003echat/)\r\nFigure 2. Hades ransomware (WastedLocker variant) Tor site\r\nhttps://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/\r\nPage 3 of 4\n\nConclusion\r\nSince the OFAC sanctions and DOJ indictments against the group and its members, INDRIK SPIDER’s continued\r\ndiversification has demonstrated the group’s significant resources and operational resilience. INDRIK SPIDER’s\r\nability to adapt and overcome adversity has been illustrated in their continual advances in their campaigns,\r\nimplementation of new tools, and adoption of third-party products and services. The development of their\r\ntradecraft has almost certainly been prompted by the legal action taken against them. The continued development\r\nof WastedLocker ransomware is the latest attempt by the notorious adversary to distance themselves from known\r\ntooling to aid them in bypassing the sanctions imposed upon them. The sanctions and indictments have\r\nundoubtedly significantly impacted the group and have made it difficult for INDRIK SPIDER to successfully\r\nmonetize their criminal endeavors.\r\nIndicators of Compromise\r\nDescription SHA256 Hash\r\nHades ransomware, variant of\r\nWastedLocker\r\nfe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87\r\nAdditional Resources\r\nRead more about big game hunting adversaries tracked by CrowdStrike Intelligence in 2020 in the\r\nCrowdStrike 2021 Global Threat Report.\r\nCheck out the Global Threat Report resource hub to learn more about today’s adversaries.\r\nTo find out more about how to incorporate intelligence on threat actors into your security strategy, visit the\r\nCROWDSTRIKE FALCON® INTELLIGENCE™ Threat Intelligence page.\r\nLearn more about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product\r\nwebpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/\r\nhttps://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/"
	],
	"report_names": [
		"hades-ransomware-successor-to-indrik-spiders-wastedlocker"
	],
	"threat_actors": [
		{
			"id": "8670f370-1865-4264-9a1b-0dfe7617c329",
			"created_at": "2022-10-25T16:07:23.69953Z",
			"updated_at": "2026-04-10T02:00:04.716126Z",
			"deleted_at": null,
			"main_name": "Hades",
			"aliases": [
				"Operation TrickyMouse"
			],
			"source_name": "ETDA:Hades",
			"tools": [
				"Brave Prince",
				"Gold Dragon",
				"GoldDragon",
				"Lovexxx",
				"Olympic Destroyer",
				"Running RAT",
				"RunningRAT",
				"SOURGRAPE",
				"running_rat"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9",
			"created_at": "2023-01-06T13:46:38.839083Z",
			"updated_at": "2026-04-10T02:00:03.117987Z",
			"deleted_at": null,
			"main_name": "INDRIK SPIDER",
			"aliases": [
				"Manatee Tempest"
			],
			"source_name": "MISPGALAXY:INDRIK SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434696,
	"ts_updated_at": 1775791995,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/18c049520f8211bb477bbaf0b98ed6e129f2e07a.pdf",
		"text": "https://archive.orkl.eu/18c049520f8211bb477bbaf0b98ed6e129f2e07a.txt",
		"img": "https://archive.orkl.eu/18c049520f8211bb477bbaf0b98ed6e129f2e07a.jpg"
	}
}