{
	"id": "d27028b7-b37d-4fbb-aff6-ec151d18c8f2",
	"created_at": "2026-04-06T00:15:04.34244Z",
	"updated_at": "2026-04-10T03:28:08.960015Z",
	"deleted_at": null,
	"sha1_hash": "19e7625edcdd5331ce64685b0199aa81b0c5e0a7",
	"title": "Viking Spider - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66429,
	"plain_text": "Viking Spider - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:25:05 UTC\r\nHome \u003e List all groups \u003e Viking Spider\r\n APT group: Viking Spider\r\nNames Viking Spider (CrowdStrike)\r\nCountry [Unknown]\r\nMotivation Financial gain\r\nFirst seen 2019\r\nDescription\r\n(Analyst1) Viking Spider first began ransom operations in December 2019, and they\r\nuse ransomware known as Ragnar Locker to compromise and extort organizations.\r\nBelow are key findings identified while researching Viking Spider activity.\r\n• Viking Spider is the first ransomware attacker to install their own virtual machine\r\n(VM) into victim environments. They use this VM to evade detection, and they also\r\nuse it as a launch point to execute the attack.\r\n• The gang is the first to use Facebook ads to pressure victims into paying the\r\nransom.\r\n• Viking Spider outsources call centers in India to contact victims asking them to pay\r\nthe ransom or risk data exposure.\r\n• Viking Spider uses Managed Service Provider (MSP) software to deliver malware\r\nand hacktools as well as provide remote access into victim environments.\r\n• Viking Spider is one of the few gangs who conduct DDoS attacks alongside\r\nransom attacks to pressure victims to pay. Another Cartel gang first used this tactic,\r\nbut Viking Spider quickly adopted it for their uses as well.\r\n• Viking Spider uses social media such as Twitter to shame non-paying victims\r\npublicly.\r\nObserved\r\nSectors: Automotive, Construction, Energy, Hospitality, IT, Law enforcement,\r\nMedia, Telecommunications.\r\nCountries: Greece, Italy, Japan, Portugal, USA.\r\nTools used RagnarLocker.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e3579aff-2cc6-452c-837b-91f4b3825bf2\r\nPage 1 of 3\n\nOperations performed\nApr 2020\nRagnarLocker ransomware hits EDP energy giant, asks for €10M\nMay 2020\nRansomware deploys virtual machines to hide itself from antivirus\nsoftware\nJul 2020\nRagnar Locker Targets CWT in Ransomware Attack\nNov 2020\nCapcom hit by Ragnar Locker ransomware, 1TB allegedly stolen\nNov 2020\nRansomware Group Turns to Facebook Ads\nNov 2020\nCampari hit by Ragnar Locker Ransomware, $15 million demanded\nJan 2021\nRagnar Locker Ransomware Attack Impacts Employee Records at\nDassault Falcon Jet\nJun 2021\nComputer memory maker ADATA hit by Ragnar Locker ransomware\nSep 2021\nRansomware gang threatens to leak data if victim contacts FBI, police\nSep 2021\nCustomer Care Giant TTEC Hit By Ransomware\nAug 2022\nRagnar Locker Likely Behind Attack on Greek Gas Operator\nSep 2022 Ragnar Locker ransomware claims attack on Portugal's flag airline\n\nransomware-claims-attack-on-portugals-flag-airline/\u003e\nNov 2022\nRansomware gang targets Belgian municipality, hits police instead\nAug 2023\nHackers claim to publish prominent Israeli hospital’s patient data\nCounter operations\nOct 2023\nRagnar Locker ransomware’s dark web extortion sites seized by police\nOct 2023\nRagnar Locker ransomware developer arrested in France\nInformation\nLast change to this card: 29 November 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e3579aff-2cc6-452c-837b-91f4b3825bf2\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e3579aff-2cc6-452c-837b-91f4b3825bf2\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e3579aff-2cc6-452c-837b-91f4b3825bf2"
	],
	"report_names": [
		"showcard.cgi?u=e3579aff-2cc6-452c-837b-91f4b3825bf2"
	],
	"threat_actors": [
		{
			"id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb",
			"created_at": "2022-10-25T16:07:24.380872Z",
			"updated_at": "2026-04-10T02:00:04.966462Z",
			"deleted_at": null,
			"main_name": "Viking Spider",
			"aliases": [],
			"source_name": "ETDA:Viking Spider",
			"tools": [
				"Ragnar Locker",
				"RagnarLocker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b4ec06e5-60c9-4796-9f85-129c77d1652b",
			"created_at": "2023-01-06T13:46:39.21956Z",
			"updated_at": "2026-04-10T02:00:03.249407Z",
			"deleted_at": null,
			"main_name": "VIKING SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:VIKING SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434504,
	"ts_updated_at": 1775791688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/19e7625edcdd5331ce64685b0199aa81b0c5e0a7.pdf",
		"text": "https://archive.orkl.eu/19e7625edcdd5331ce64685b0199aa81b0c5e0a7.txt",
		"img": "https://archive.orkl.eu/19e7625edcdd5331ce64685b0199aa81b0c5e0a7.jpg"
	}
}