{ "id": "e1ffb5a8-69aa-457b-8180-ffba5634868b", "created_at": "2026-04-06T00:17:55.769591Z", "updated_at": "2026-04-10T13:11:49.814172Z", "deleted_at": null, "sha1_hash": "79177e0137600508d3d1e5edae412fab838681ff", "title": "Ransomware + Data Leak Extortion: Origins and Adversaries, Pt. 1", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1409430, "plain_text": "Ransomware + Data Leak Extortion: Origins and Adversaries, Pt.\r\n1\r\nBy The CrowdStrike Intel Team\r\nArchived: 2026-04-05 15:14:54 UTC\r\nThe most prominent eCrime trend observed so far in 2020 is big game hunting (BGH) actors stealing and leaking\r\nvictim data in order to force ransom payments and, in some cases, demand two ransoms. Data extortion is not a\r\nnew tactic for criminal adversaries; however, when BGH operations don't result in payment, victims now face a\r\ndouble-headed threat of ensuring their data does not make it into the hands of others.\r\nThis first part of a two-part blog series explores the origins of ransomware, BGH and extortion, and introduces\r\nsome of the criminal adversaries that are currently dominating this data leak extortion ecosystem.\r\nA Brief History of Ransomware and Big Game Hunting\r\nThe origins of ransomware\r\ncan in part be traced back to around 2008 with the development of fake antivirus software by cybercriminal\r\norganizations. These applications showed phony alerts to victims and required payment to “clean up” malware\r\ninfections. These criminal enterprises were driven by affiliates (known in Russian-speaking criminal forums as\r\npartnerka) that earned a commission for each infection and each fake antivirus purchase. At the time, these\r\ncriminal organizations were able to leverage high-risk merchant accounts to accept credit cards, making it easy for\r\nthe average victim to pay for their bogus software. Eventually, credit card companies were able to identify and\r\nprevent these types of fraudulent transactions, effectively putting the eCriminals out of business. As fake antivirus\r\nsoftware disappeared, a new threat emerged that became the predecessor to modern ransomware. Known as a\r\nscreen locker, this threat would typically display a message impersonating international law enforcement agencies\r\nsuch as the FBI, Interpol and the U.K.’s Metropolitan Police Service. The message essentially locked a victim out\r\nof accessing their desktop, demanding payment as a “fine” for the victim’s “criminal” activity, such as viewing\r\nillicit pornography, distributing copyrighted material, etc. Payment was made primarily through Ukash, Paysafe\r\nand MoneyPak. There were also screen lockers that claimed to encrypt a victim’s files; however, the vast majority\r\ndid not perform any encryption. The criminals behind this activity used the same affiliate-driven model as the fake\r\nantivirus groups to share profits.\r\nScreen lockers virtually disappeared after the introduction of a ransomware family known as CryptoLocker in\r\n2013. CryptoLocker ransomware was revolutionary in both the number of systems it impacted and its use of\r\nstrong cryptographic algorithms. The ransomware was developed by the so-called BusinessClub that used the\r\nmassive Gameover Zeus botnet with over a million infections. The group primarily leveraged their botnet for\r\nbanking-related fraud. However, they realized that not all infections could be monetized easily, so they decided to\r\ndevelop their own ransomware and deploy it to a subset of their botnet’s infected systems. The ransom demand for\r\nvictims was relatively small — an amount between $100 and $300 USD — and payable in a variety of digital\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/\r\nPage 1 of 12\n\ncurrencies including cashU, Ukash, Paysafe, MoneyPak, and Bitcoin (BTC). CryptoLocker became extremely\r\nsuccessful, and other cybercriminals took notice, leading to an explosion in ransomware malware families that\r\ncontinued to use the same affiliate-based profit-sharing model. The next major trend in ransomware began in 2016\r\nwith the introduction of the Samas ransomware by BOSS SPIDER. Unlike prior ransomware families, Samas\r\nwent specifically after businesses rather than individuals. This group initially gained access to corporate networks\r\nusing Remote Desktop Protocol (RDP) and outdated JBoss instances that were exposed to the internet. Once\r\ninside the organization, BOSS SPIDER used tactics similar to many state-sponsored threat actors to move\r\nlaterally, compromise an organization’s domain controller, and thereafter deploy their ransomware. Not only did\r\nSamas impact businesses, but BOSS SPIDER realized that they could demand a significantly large ransom\r\npayment. CrowdStrike® Intelligence refers to this operational model as big game hunting, which was quickly\r\nadopted by INDRIK SPIDER. Interestingly, INDRIK SPIDER had primarily focused on banking fraud for more\r\nthan half a decade. However, after BOSS SPIDER’s success with BGH attacks, INDRIK SPIDER realized that\r\nransomware was far more profitable and far less complex to monetize (e.g., it did not require an extensive money\r\nmule network to launder funds). This actor shifted from banking fraud to ransomware in 2017, developing\r\nBitPaymer ransomware, and more recently, WastedLocker. Since the early BGH operations of BOSS SPIDER and\r\nINDRIK SPIDER, the trend has transformed the eCrime ecosystem. New adversaries have adopted BGH\r\ntechniques, and enablers have built tools to cater to this burgeoning market.\r\nA New Trend: Cyber Extortion\r\nCyber extortion also has a long history, including email extortion, distributed denial-of-service (DDoS) extortion\r\nand data extortion attacks. Email extortion is likely the most prolific and longest-standing form of cyber extortion\r\ngiven its low barrier to entry. In order to operate campaigns, criminal actors merely need to acquire leaked\r\npasswords, which can be easily found on Pastebin, or other more superficial victim information, such as a\r\ntelephone number, to help appear legitimate in that they have somehow acquired damaging information related to\r\nthe victim. These actors typically send an email to the victim with one piece of legitimate personal information,\r\nclaim the victim was infected with malware and thus acquire more damaging information. The actor then demands\r\na ransom payment in order to keep the information from being sent to the victim’s friends, family or colleagues. A\r\nslightly more sophisticated version of this technique came with the emergence of DDoS extortion. As early as\r\nApril 2014, PIZZO SPIDER (also known as DD4BC, which is an acronym for “DDoS for Bitcoin”) sent emails\r\nclaiming that they would DDoS a business and take down their services if the business did not pay the demanded\r\nransom amount, as shown in Figure 1. Later, MIMIC SPIDER and other criminal actors operating Internet of\r\nThings (IoT) botnets, such as Mirai, used this technique. Some of these actors conducted DDoS attacks before the\r\nthreat to prove they could follow through, while other actors simply rode the coattails of other attacks, sending the\r\nthreat while unable to follow through with the deed.\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/\r\nPage 2 of 12\n\nFigure 1. PIZZO SPIDER threatening to DDoS a gambling site unless ransom is paid (click image to enlarge)\r\nOne of the more publicized actors to capitalize on this trend and take it to the next level is OVERLORD SPIDER,\r\naka The Dark Overlord. Similar to ransomware operators today, OVERLORD SPIDER likely purchased RDP\r\naccess to compromised servers on underground forums in order to exfiltrate data from corporate networks. The\r\nactor was known to attempt to “sell back” the data to the respective victims, threatening to sell the data to\r\ninterested parties should the victim refuse to pay. There was at least one identified instance of OVERLORD\r\nSPIDER successfully selling victim data on an underground market.\r\nPutting It All Together: Cyber Extortion With Ransomware\r\nOn May 7, 2019, Mayor Bernard “Jack” Young confirmed that the network for the U.S. City of Baltimore (CoB)\r\nwas infected with ransomware, which was announced via Twitter1. This infection was later confirmed to be\r\nconducted by OUTLAW SPIDER, which is the actor behind the RobbinHood ransomware. The actor demanded to\r\nbe paid 3 BTC (approximately $17,600 USD at the time) per infected system, or 13 BTC (approximately $76,500\r\nUSD at the time) for all infected systems to recover the city’s files. On May 9, 2019, CrowdStrike Intelligence\r\nobserved OUTLAW SPIDER post an image on the Tor hidden service hosted by the actors to establish\r\ncommunications with their victims (known as a payment portal). This image contained sensitive information\r\nallegedly taken from the CoB network and was posted along with a message stating, “The city also said no\r\npersonal data has been compromised, Really ?!.” This comment was likely in response to public statements by the\r\ncity that no personal information had been compromised during the incident and to incentivize ransom payment.\r\nYoung later stated that not only was the city not going to pay the ransom, but that “we’re going to get and punish\r\nthem to the fullest extent of the law.”\r\n2\r\n This was followed by further communications from OUTLAW SPIDER,\r\nthrough an established Twitter account and the payment portal, stating they would remove all collected city\r\ninformation if the ransom was paid by a specified deadline, as shown in Figure 2.\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/\r\nPage 3 of 12\n\nFigure 2. OUTLAW SPIDER’s City of Baltimore payment portal communications (click image to enlarge)\r\nAlthough ineffective, the incident with the CoB and OUTLAW SPIDER was the first instance observed by\r\nCrowdStrike Intelligence of data extortion to incentivize ransom payment.\r\nRansomware Actors Leaking Victim Data\r\nAfter the CoB incident with OUTLAW SPIDER, several months passed before TWISTED SPIDER reintroduced\r\nthis technique in November 2019. TWISTED SPIDER’s late 2019 activity proved the catalyst for numerous\r\neCrime threat actors adopting the use of dedicated leak sites (DLSs) to threaten the distribution of company data\r\nin various forms. TWISTED SPIDER remains the most prolific actor using this technique, with a variety of actors\r\nadopting this technique through the first half of 2020, as shown in Figure 3. This section provides an overview of\r\neach of these threat actors and how they incentivize and pressure victims to pay ransoms.\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/\r\nPage 4 of 12\n\nFigure 3. Number of entities published to dedicated leak sites by criminal adversaries from November 2019\r\nthrough July 2020 (click image to enlarge)\r\nTWISTED SPIDER\r\nTWISTED SPIDER has been operating Maze ransomware since at least May 2019; however, the actors did not\r\nstart leaking victim data until November 2019. They first advertised their data leaks on a Russian underground\r\nforum, claiming to include 10% of the victim’s data and threatening to leak the remaining data in a later post. In\r\nthese posts, the criminal actor called out popular security companies and warned another victim to pay the ransom\r\nquickly. On December 10, 2019, they created a DLS but continued to post to Russian underground forums. On\r\nJanuary 2, 2020, a victim filed a lawsuit against TWISTED SPIDER and the company hosting the DLS containing\r\nthe stolen files. This caused the site to be temporarily taken down, but TWISTED SPIDER merely created a new\r\nDLS on January 9, 2020. Despite the legal action, the actor remained active, continuing to deploy their\r\nransomware on victim networks and posting data either on underground forums or to the new DLS. Currently, the\r\ncriminal actor hosts the DLS simultaneously on the web and on a Tor hidden service. TWISTED SPIDER’s\r\naudacious commentary continues to persist as they mock security companies and researchers in posts on their\r\nDLS, and call out victims before and after the release of data to induce payment. When TWISTED SPIDER leaks\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/\r\nPage 5 of 12\n\nvictim data, the actor publishes identifying information, including the victim’s headquarters, phone number, fax\r\nnumber and website, as shown in Figure 4. If the post is intended to serve as a warning, the actors will only upload\r\na sample of data for proof. In addition to leaking data on their DLS, TWISTED SPIDER also uses the site as a\r\nplatform for their press releases. These releases include terms and conditions for their operations, naming and\r\nshaming victims, and proclamations of the group’s alleged motivations and goals.\r\nFigure 4. Screenshot of Maze DLS (click image to enlarge)\r\nWhile TWISTED SPIDER may not have been the first ransomware actor to conduct data extortion, they have\r\nbeen successful in operationalizing the practice. The actor has continued to leak data with increased frequency and\r\nconsistency. The timeline in Figure 5 provides a view of data leaks from over 230 victims from November 11,\r\n2019, until May 2020. The lighter color indicates just one victim targeted or published to the site, while the\r\ndarkest red indicates more than six victims affected. TWISTED SPIDER has had multiple instances where they\r\nhave published over 10 victims in one day. In addition, the group appears to work most days of the week, with\r\nSunday being the least prolific day and Mondays and Fridays being the most active.\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/\r\nPage 6 of 12\n\nFigure 5. Timeline of victims published to TWISTED SPIDER’s news site by publish date, or actor-claimed lock\r\ndate when available, through July 2020 (click image to enlarge)\r\nPINCHY SPIDER\r\nOn December 9, 2019 (approximately two and a half weeks after TWISTED SPIDER’s first leak), a vendor of\r\nPINCHY SPIDER’s REvil ransomware as a service (RaaS) posted a threat to leak victim data to an underground\r\nforum. This is the first time CrowdStrike Intelligence observed the group or their affiliates making such a threat,\r\nand it appeared to be in frustration over failing to monetize compromises at a U.S.-based managed service\r\nprovider (MSP) and a China-based asset management firm. Since that time, affiliates of PINCHY SPIDER have\r\nposted data on more than 80 victims.\r\nPINCHY SPIDER began leaking victim data on underground forums before launching a DLS on February 26,\r\n2020, hosted using a Tor hidden service. Similar to TWISTED SPIDER’s initial leaks, PINCHY SPIDER warns\r\nvictims of the planned data leak, usually via a blog post on their DLS containing sample data as proof (see Figure\r\n6), before releasing the bulk of the data after a given amount of time. REvil will also provide a link to the blog\r\npost within the ransom note distributed to systems encrypted by REvil ransomware. The link contains a GET\r\nparameter, which if provided with a given link, will display the leak to the affected victim prior to being exposed\r\nto the public. Upon visiting the link, a countdown timer will begin, which will cause the leak to be published once\r\nthe given amount of time has elapsed.\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/\r\nPage 7 of 12\n\nFigure 6. Screenshot of REvil’s DLS (click image to enlarge)\r\nA timeline for victims affected by PINCHY SPIDER’s data leaks is shown in Figure 7. A single victim published\r\nis displayed as the lightest color; the darkest color indicates six victims were published to the site in one day.\r\nWhile PINCHY SPIDER affiliates took time to begin using the tactic, by the time April 2020 rolled around, the\r\npublishing of victim data became more consistent. In addition, unlike TWISTED SPIDER, affiliates of PINCHY\r\nSPIDER appear to take weekends off; victim data is typically published during the working days of Monday\r\nthrough Friday.\r\nFigure 7. Timeline of victims affected by data leaks conducted by affiliates of PINCHY SPIDER from January\r\nthrough July 2020 (click image to enlarge)\r\nDOPPEL SPIDER\r\nDOPPEL SPIDER, operator and developer of the ransomware DoppelPaymer, was next to leak victim data.\r\nSince introducing their DLS (see Figure 8) on February 21, 2020, the actor has published data from over 40\r\nvictims. However, while TWISTED SPIDER and PINCHY SPIDER typically leak data in at most three parts,\r\nDOPPEL SPIDER will leak data over multiple days, and sometimes weeks. Additionally, DOPPEL SPIDER will\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/\r\nPage 8 of 12\n\nonly post victim information after a victim refuses to pay and the timer for the payment deadline has expired. The\r\nactor is likely allowing the victim to observe that the data is legitimate and incentivize them to pay the ransom\r\nbefore all of their data is leaked.\r\nFigure 8. Screenshot of main page of DoppelPaymer DLS (click image to enlarge)\r\nAs can be seen in Figure 9, DOPPEL SPIDER is not as visibly prolific as TWISTED SPIDER or PINCHY\r\nSPIDER and leaks data sporadically, occasionally going one to two weeks without victims being published. The\r\ntimeline below displays a single victim published to the site as the lightest color with up to three victims, the\r\ndarkest color, having been published in a given day.\r\nFigure 9. Timeline of data leaks conducted by DOPPEL SPIDER, February through July 2020 (click image to\r\nenlarge)\r\nVIKING SPIDER\r\nVIKING SPIDER is the criminal group behind the development and distribution of Ragnar Locker ransomware.\r\nWhile public reporting indicates the group began threatening to leak victim data in February 2020, a DLS was not\r\nobserved until April 2020. The DLS is hosted on Tor, and similar to other actors, proof of data exfiltration is\r\nprovided before the stolen data is fully leaked. Since this time, at least 12 victims have been observed on their\r\nDLS, which is shown in Figure 10.\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/\r\nPage 9 of 12\n\nFigure 10. Screenshot of Ragnar Locker DLS (click image to enlarge)\r\nLockBit\r\nIn development since at least September 2019, LockBit is available as a RaaS, advertised to Russian-speaking\r\nusers or English speakers with a Russian-speaking guarantor. In May 2020, an affiliate operating LockBit posted a\r\nthreat to leak data on a popular Russian-language criminal forum, as shown in Figure 11.\r\nFigure 11. Example content of forum post threatening data leak by affiliate operating LockBit (click image to\r\nenlarge)\r\nIn addition to the threat, the affiliate provides proof, such as an image of the folder structure and at least one\r\nscreenshot of an example document contained within the victim data. Once the deadline passes, the affiliate is\r\nknown to post a mega\u003c.\u003enz link to download the stolen victim data. This affiliate has threatened to publish data\r\nfrom at least nine victims. Currently, there is no DLS in operation dedicated to LockBit ransomware.\r\nMedusaLocker\r\nMedusaLocker is a ransomware family that was first seen in the wild in early October 2019. In January 2020, a\r\nfork of MedusaLocker named Ako was observed, which has been updated to support the use of a Tor hidden\r\nservice to facilitate a RaaS model. Operators of the Ako version of the malware have since implemented a DLS\r\n(Figure 12). At least nine victims have been published to the site since its inception.\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/\r\nPage 10 of 12\n\nFigure 12. Screenshot of MedusaLocker fork Ako DLS (click image to enlarge)\r\nConclusion\r\nData extortion is not a new trend, but it seems to be growing in popularity to fuel ransomware operations.\r\nOVERLORD SPIDER is one of possibly many eCrime actors using data theft and extortion as the main driver for\r\ntheir operations — in fact, it is the only method used by this actor. OVERLORD SPIDER’s operations have been\r\nwell publicized and may have influenced other actors about the potential effectiveness of this tactic in eliciting\r\npayment.\r\nTo date, the majority of ransomware operators engaged in BGH operations have adopted or threatened the data-theft-and-leak tactic, with the exception of INDRIK SPIDER and WIZARD SPIDER. It is also likely that less\r\nsophisticated ransomware operators will threaten data leaks, even if they do not have the capability to exfiltrate\r\ndata, in order to capitalize on the current trend of data extortion by bluffing.\r\nAs organizations improve their capabilities to rebound from ransomware attacks and security researchers continue\r\nto create decryptors for ransomware, there is less incentive for victims to pay the ransom in order to reclaim files.\r\nHowever, criminal actors have found a way to thwart these defensive measures. By exfiltrating data from victim\r\nnetworks and leaking it if companies refuse to comply, criminal actors might be able revitalize the financial\r\nreturns of their criminal activities. This blog was written by CrowdStrike Intelligence analysts Molly Lane, Josh\r\nReynolds, Brett Stone-Gross and Bex Hartley.\r\n1 https://twitter\u003c.\u003ecom/mayorbcyoung/status/1125826676280188929 2\r\nhttps://www.baltimore\u003c.\u003ecom/politics/bs-md-young-hack-20190510-story.html\r\nAdditional Resources\r\nDownload: CrowdStrike 2020 Global Threat Report.\r\nTo learn more about how to incorporate intelligence on threat actors into your security strategy, visit the\r\nCrowdStrike Falcon® Intelligence Threat Intelligence page.\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/\r\nPage 11 of 12\n\nLearn more about the powerful, cloud-native CrowdStrike Falcon®®platform by visiting the product\r\nwebpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/" ], "report_names": [ "double-trouble-ransomware-data-leak-extortion-part-1" ], "threat_actors": [ { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "b57a3b93-3a22-4889-af28-37cc53e824e7", "created_at": "2023-01-06T13:46:39.24034Z", "updated_at": "2026-04-10T02:00:03.256906Z", "deleted_at": null, "main_name": "MIMIC SPIDER", "aliases": [], "source_name": "MISPGALAXY:MIMIC SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4116df25-aff6-46ee-a5dd-926254a78e89", "created_at": "2023-01-06T13:46:38.894033Z", "updated_at": "2026-04-10T02:00:03.137353Z", "deleted_at": null, "main_name": "BOSS SPIDER", "aliases": [ "GOLD LOWELL" ], "source_name": "MISPGALAXY:BOSS SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a9db5b93-dd22-4e33-9012-3650745266ee", "created_at": "2023-01-06T13:46:39.234575Z", "updated_at": "2026-04-10T02:00:03.254853Z", "deleted_at": null, "main_name": "OVERLORD SPIDER", "aliases": [], "source_name": "MISPGALAXY:OVERLORD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "1b20199b-07ae-42f1-ad22-bbe2dd471df8", "created_at": "2024-06-04T02:03:07.872554Z", "updated_at": "2026-04-10T02:00:03.613698Z", "deleted_at": null, "main_name": "GOLD LOWELL", "aliases": [ "Boss Spider ", "CTG-0007 " ], "source_name": "Secureworks:GOLD LOWELL", "tools": [ "Samas" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ccd0f6b5-6d20-4d28-9796-88ab6deb4087", "created_at": "2024-06-19T02:03:08.067518Z", "updated_at": "2026-04-10T02:00:03.671628Z", "deleted_at": null, "main_name": "GOLD HERON", "aliases": [ "Doppel Spider " ], "source_name": "Secureworks:GOLD HERON", "tools": [ "Cobalt Strike", "DoppelPaymer", "Dridex", "Grief", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "4e2776db-982d-4c07-8dd5-3888242aa7bc", "created_at": "2023-01-06T13:46:38.437237Z", "updated_at": "2026-04-10T02:00:02.974399Z", "deleted_at": null, "main_name": "PIZZO SPIDER", "aliases": [ "DD4BC", "Ambiorx" ], "source_name": "MISPGALAXY:PIZZO SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9639c065-3fa6-432f-9cbd-5708500c4eaa", "created_at": "2022-10-25T16:07:23.255684Z", "updated_at": "2026-04-10T02:00:04.506059Z", "deleted_at": null, "main_name": "Overlord Spider", "aliases": [ "The Dark Overlord" ], "source_name": "ETDA:Overlord Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a0d0e1ef-3562-40a8-a021-321db92644d9", "created_at": "2023-01-06T13:46:39.104046Z", "updated_at": "2026-04-10T02:00:03.2146Z", "deleted_at": null, "main_name": "DOPPEL SPIDER", "aliases": [ "GOLD HERON" ], "source_name": "MISPGALAXY:DOPPEL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d555c5da-abe4-42aa-a8cf-77b68905891a", "created_at": "2022-10-25T16:07:23.548385Z", "updated_at": "2026-04-10T02:00:04.65211Z", "deleted_at": null, "main_name": "Doppel Spider", "aliases": [ "Gold Heron", "Grief Group" ], "source_name": "ETDA:Doppel Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "DoppelPaymer", "Pay OR Grief", "Pay or Grief", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "eb8697fd-882a-4323-9eb8-8e20222cfd91", "created_at": "2022-10-25T16:07:23.416834Z", "updated_at": "2026-04-10T02:00:04.589943Z", "deleted_at": null, "main_name": "Boss Spider", "aliases": [ "Boss Spider", "CTG-0007", "Gold Lowell" ], "source_name": "ETDA:Boss Spider", "tools": [ "Mimikatz", "PsExec", "SDelete", "SamSam", "Samas" ], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434675, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/79177e0137600508d3d1e5edae412fab838681ff.pdf", "text": "https://archive.orkl.eu/79177e0137600508d3d1e5edae412fab838681ff.txt", "img": "https://archive.orkl.eu/79177e0137600508d3d1e5edae412fab838681ff.jpg" } }