{
	"id": "d460f96a-922c-4363-9d82-1d283c47e6f2",
	"created_at": "2026-04-06T00:12:12.137164Z",
	"updated_at": "2026-04-10T03:35:17.795617Z",
	"deleted_at": null,
	"sha1_hash": "8e94823a0154478b823d15fc845261552893f7b8",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59937,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:43:47 UTC\nHome \u003e List all groups \u003e Dungeon Spider\n Other threat group: Dungeon Spider\nNames Dungeon Spider (CrowdStrike)\nCountry Russia\nMotivation Financial gain\nFirst seen 2016\nDescription\n(CrowdStrike) Dungeon Spider is a criminal group operating the ransomware most\ncommonly known as Locky, which has been active since February 2016 and was last\nobserved in late 2017. Locky is a ransomware tool that encrypts files using a\ncombination of cryptographic algorithms: RSA with a key size of 2,048 bits, and\nAES with a key size of 128 bits. Locky targets a large number of file extensions and\nis able to encrypt data on shared network drives. In an attempt to further impact\nvictims and prevent file recovery, Locky deletes all of the Shadow Volume Copies\non the machine.\nDungeon Spider primarily relies on broad spam campaigns with malicious\nattachments for distribution. Locky is the community/industry name associated with\nthis actor.\nLocky has been observed to be distributed via Necurs (operated by Monty Spider).\nObserved Countries: Worldwide.\nTools used Locky.\nOperations performed\nFeb 2016\nA cyberattack launched against the Hollywood Presbyterian Medical\nCenter has forced staff to declare an “internal emergency” and left\nemployees unable to access patient files.\nFeb 2016 A red marquee bannered on the homepage of the Methodist Hospital in\nHenderson, Kentucky announced a cyberattack that successfully\npenetrated their networks, prompting it to operate under an “internal\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=32791f72-1874-4af1-bd3a-82dfc544b436\nPage 1 of 3\n\nstate of emergency”.\nApr 2016\nJapanese Trends in the Aggressive Activity of the “Locky”\nRansomware\nJun 2016\nLocky Ransomware Hides Under Multiple Obfuscated Layers of\nJavaScript\nAug 2016\nLocky Ransomware Distributed Via DOCM Attachments in Latest\nEmail Campaigns\nJan 2017\nWithout Necurs, Locky Struggles\nApr 2017\nNow, cybercriminals are using PDFs instead of Word documents to\ndeliver Locky ransomware.\nAug 2017\nNew Locky Ransomware Phishing Attacks Beat Machine Learning\nTools\nAug 2017\nLocky Ransomware switches to the Lukitus extension for Encrypted\nFiles\nSep 2017\nLocky ransomware strikes at Amazon\nNov 2017\nThe most recent change for Locky came as one of the most popular\nways to spread malware: spear phishing emails.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=32791f72-1874-4af1-bd3a-82dfc544b436\nPage 2 of 3\n\nFeb 2018\nLocky Ransomware Is Back in a Big Way\nInformation\nLast change to this card: 15 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=32791f72-1874-4af1-bd3a-82dfc544b436\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=32791f72-1874-4af1-bd3a-82dfc544b436\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=32791f72-1874-4af1-bd3a-82dfc544b436"
	],
	"report_names": [
		"showcard.cgi?u=32791f72-1874-4af1-bd3a-82dfc544b436"
	],
	"threat_actors": [
		{
			"id": "748eb9f3-ef15-4645-881b-b91681111812",
			"created_at": "2022-10-25T16:07:24.510024Z",
			"updated_at": "2026-04-10T02:00:05.016515Z",
			"deleted_at": null,
			"main_name": "Monty Spider",
			"aliases": [
				"Gold Riverview"
			],
			"source_name": "ETDA:Monty Spider",
			"tools": [
				"Necurs",
				"nucurs"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa8d7ec6-128a-41b9-8cdc-01ad8843020f",
			"created_at": "2022-10-25T16:07:24.485077Z",
			"updated_at": "2026-04-10T02:00:05.005858Z",
			"deleted_at": null,
			"main_name": "Dungeon Spider",
			"aliases": [],
			"source_name": "ETDA:Dungeon Spider",
			"tools": [
				"Locky"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a15363f3-ec73-4a94-a94c-60ffb4925a40",
			"created_at": "2023-01-06T13:46:39.10693Z",
			"updated_at": "2026-04-10T02:00:03.215548Z",
			"deleted_at": null,
			"main_name": "MONTY SPIDER",
			"aliases": [
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:MONTY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6898c5bc-48af-4e38-917b-f9f0a41d0ee2",
			"created_at": "2023-01-06T13:46:39.00984Z",
			"updated_at": "2026-04-10T02:00:03.179681Z",
			"deleted_at": null,
			"main_name": "DUNGEON SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:DUNGEON SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434332,
	"ts_updated_at": 1775792117,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e94823a0154478b823d15fc845261552893f7b8.pdf",
		"text": "https://archive.orkl.eu/8e94823a0154478b823d15fc845261552893f7b8.txt",
		"img": "https://archive.orkl.eu/8e94823a0154478b823d15fc845261552893f7b8.jpg"
	}
}