{ "id": "396d09c6-8b4c-4737-872e-ab184153bbfd", "created_at": "2026-04-06T00:18:19.608347Z", "updated_at": "2026-04-10T13:12:56.920852Z", "deleted_at": null, "sha1_hash": "21cc7a1b43773940f471c16a1dd66d87325183fb", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56085, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 11:34:16 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool WastedLocker\n Tool: WastedLocker\nNames WastedLocker\nCategory Malware\nType Ransomware, Big Game Hunting\nDescription\n(Fox-IT) The new WastedLocker ransomware appeared in May 2020 (a technical\ndescription is included below). The ransomware name is derived from the filename it\ncreates which includes an abbreviation of the victim’s name and the string ‘wasted’. The\nabbreviation of the victim’s name was also seen in BitPaymer, although a larger portion\nof the organisation name was used in BitPaymer and individual letters were sometimes\nreplaced by similar looking numbers.\nTechnically, WastedLocker does not have much in common with BitPaymer, apart from\nthe fact that it appears that victim specific elements are added using a specific builder\nrather than at compile time, which is similar to BitPaymer. Some similarities were also\nnoted in the ransom note generated by the two pieces of malware. The first\nWastedLocker example we found contained the victim name as in BitPaymer ransom\nnotes and also included both a protonmail.com and tutanota.com email address. Later\nversions also contained other Protonmail and Tutanota email domains, as well as Eclipso\nand Airmail email addresses. Interestingly the user parts of the email addresses listed in\nthe ransom messages are numeric (usually 5 digit numbers) which is similar to the 6 to\n12 digit numbers seen used by BitPaymer in 2018.\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d718aaef-4608-46fd-8245-a6036ebf54f2\nPage 1 of 2\n\nMITRE ATT\u0026CK Malpedia Playbook Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool WastedLocker\nChanged Name Country Observed\nAPT groups\n Indrik Spider 2007-Oct 2024\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d718aaef-4608-46fd-8245-a6036ebf54f2\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d718aaef-4608-46fd-8245-a6036ebf54f2\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d718aaef-4608-46fd-8245-a6036ebf54f2" ], "report_names": [ "listgroups.cgi?u=d718aaef-4608-46fd-8245-a6036ebf54f2" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434699, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/21cc7a1b43773940f471c16a1dd66d87325183fb.pdf", "text": "https://archive.orkl.eu/21cc7a1b43773940f471c16a1dd66d87325183fb.txt", "img": "https://archive.orkl.eu/21cc7a1b43773940f471c16a1dd66d87325183fb.jpg" } }