{ "id": "aa69a903-62bd-4a79-8644-3d6ad7868186", "created_at": "2026-04-06T00:11:44.328985Z", "updated_at": "2026-04-10T03:36:11.10414Z", "deleted_at": null, "sha1_hash": "aeffe23dbc5ed366c413f580fc8f67b1ce72e675", "title": "Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 873570, "plain_text": "Big Game Hunting: The Evolution of INDRIK SPIDER From\r\nDridex Wire Fraud to BitPaymer Targeted Ransomware\r\nBy sergei.frankoff.and.bex.hartley\r\nArchived: 2026-04-05 16:49:45 UTC\r\nINDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and\r\n2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are\r\nthought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation,\r\nDridex has received multiple updates with new modules developed and new anti-analysis features added to the\r\nmalware. In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the\r\nU.K.’s National Health Service (NHS) , with a high ransom demand of 53 BTC (approximately $200,000 USD).\r\nThe targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out\r\nfrom other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer\r\nwas not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with\r\nDridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER,\r\nsuggesting the group had expanded its criminal operation to include ransomware as a monetization strategy. The\r\nbeginning of 2017 also brought a turning point in INDRIK SPIDER’s operation of Dridex. Dridex spam\r\ncampaigns significantly declined, with new campaigns moving from high volume and frequency, to smaller,\r\ntargeted distribution. The rapid development of Dridex also slowed during this time, with fewer versions released\r\nduring 2017 than in previous years. CrowdStrike® Falcon® Intelligence™ also observed a strong correlation\r\nbetween Dridex infections and BitPaymer ransomware. During incidents that involved BitPaymer, Dridex was\r\ninstalled on the victim network prior to the deployment of the BitPaymer malware. Also unusual was the\r\nobservation that both Dridex and BitPaymer were spread through the victim network using lateral movement\r\ntechniques traditionally associated with nation-state actors and penetration testing. These new tactics of selectively\r\ntargeting organizations for high ransomware payouts have signaled a shift in INDRIK SPIDER’s operation with a\r\nnew focus on targeted, low-volume, high-return criminal activity: a type of cybercrime operation we refer to as\r\nbig game hunting. Since this shift, INDRIK SPIDER has used BitPaymer ransomware as a key vehicle for these\r\noperations, having netted around $1.5M USD in the first 15 months of ransomware operations.\r\nTargeted Delivery\r\nFalcon Intelligence has provided support to multiple active BitPaymer incident response (IR) engagements. The\r\ninformation gathered from these engagements, combined with information from prior Dridex IR engagements,\r\nprovides insight into how INDRIK SPIDER deploys and operates both Dridex and BitPaymer. An overview of this\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 1 of 14\n\nprocess is provided below in Figure 1.\r\nFigure 1. BitPaymer Ransomware Infection With Dridex\r\nIn recent BitPaymer IR engagements, Falcon Intelligence linked the initial infection vector to fake updates for a\r\nFlashPlayer plugin and the Chrome web browser. These fake updates are served via legitimate websites that have\r\nbeen compromised, and use social engineering to trick users into downloading and running a malicious\r\nexecutable. These fake update campaigns appear to be a pay-per-install service that is simply used by INDRIK\r\nSPIDER to deliver its malware, as other malware has also been delivered via the same campaigns.\r\nLateral Movement With PowerShell Empire\r\nAfter the initial compromise, Falcon Intelligence observed both the Dridex loader and PowerShell Empire in\r\noperation on the infected host. PowerShell Empire is a post-exploitation agent built for penetration testing, which\r\nwas used to move laterally between hosts. When moving between hosts, the PowerShell Empire agent was run as\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 2 of 14\n\na service with the name Updater , as shown below in Figure 2.\r\nFigure 2. PowerShell Empire Run as a Service\r\nDuring this lateral movement, Falcon Intelligence also observed PowerShell Empire deploying the Mimikatz\r\nmodule on servers in the victim’s network. Mimikatz is a post-exploitation tool used to harvest credentials from\r\nWindows hosts. These compromised credentials were then used for further lateral movement. For many of the\r\nhosts that PowerShell Empire moved to, it would download and install the Dridex loader. The lateral movement\r\ncontinued until the domain credentials for the environment were retrieved and both PowerShell Empire and the\r\nDridex loader were installed on the domain controllers in the environment. This process appears to be automated\r\nbased on the speed at which the hosts are compromised. Though traditionally used to load modules for fraud\r\nactivity, recent updates to the Dridex loader also allow it to perform system and network reconnaissance. These\r\nreconnaissance capabilities include the ability to collect information about the current user on the host, list\r\ncomputers on the local network, and extract the system’s environment variables. This information is likely used to\r\nassist with identifying interesting targets within the victim network. In some instances, Falcon Intelligence\r\nobserved several days of inactivity between the time the domain controllers were compromised and the\r\ninstallation of BitPaymer. This delay may indicate that the operators were performing reconnaissance and\r\ngathering information about the victim before deciding how best to monetize the compromise.\r\nRansomware Deployed via PowerShell Empire and GPO\r\nFalcon Intelligence has observed two different methods used to deploy BitPaymer once the domain controllers are\r\ncompromised. In one instance, only the domain controllers and other critical infrastructure, like payroll servers,\r\nwere targeted and PowerShell Empire was used to download and execute the BitPaymer malware directly on these\r\nservers. In another instance, the BitPaymer malware was downloaded to a network share in the victim network,\r\nand a startup script called gpupdate.bat was pushed to all the hosts on the network via Group Policy Object\r\n(GPO), from the domain controllers. This script copied BitPaymer from the share and executed it on each host in\r\nthe network, encrypting thousands of machines.\r\nBig Game Hunters Use APT Tactics\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 3 of 14\n\nThis targeted deployment methodology involving credential compromise, lateral movement, and the use of system\r\nadministrator tools closely mimics behavior Falcon Intelligence has observed from nation-state adversary groups,\r\nand penetration testing teams. With the move to targeting select victims for high-value payouts, the INDRIK\r\nSPIDER adversary group is no longer forced to scale its operations, and now has the capacity to tailor its tooling\r\nto the victim’s environment and play a more active role in the compromise with “hands on keyboard” activity.\r\nBitPaymer Ransomware\r\nThough the first publicly reported use of BitPaymer was in August 2017, when the malware was linked to\r\nransomware attacks against several NHS hospitals , it was first identified in July 2017 by Twitter user Michael\r\nGillespie. Later, in January 2018, a report was released that identified similarities between the BitPaymer\r\nransomware and Dridex malware. The report authors renamed the malware “FriedEx.” Falcon Intelligence has\r\nanalyzed this malware and can confirm the overlap between BitPaymer/FriedEx and Dridex malware. Due to the\r\ntargeted nature of the ransomware, BitPaymer is custom-built for each operation, with a unique encryption key, a\r\nransom note and contact information embedded in it. As a result of this customization, there are multiple builds of\r\nthe malware, though Falcon Intelligence has identified two main variants: an older variant that splits the\r\nencryption process into multiple “modes” with each mode focused on a specific task; and a newer variant that is\r\nbuilt to be run as a service.\r\nBitPaymer AKA “wp_encrypt”\r\nDuring analysis, Falcon Intelligence obtained builds of the ransomware that contained the program database\r\n(PDB) string S:\\Work\\_bin\\Release-Win32\\wp_encrypt.pdb. Based on this string, the malware developers refer to\r\nthis ransomware as wp_encrypt. The PDB string also contains the prefix string S:\\Work\\, which is identical to\r\nother Dridex modules, including those shown in Table 1. The ransomware also contains code from the Dridex\r\nmodules, with some variants of the ransomware sharing up to 69 percent of their code with the Dridex loader.\r\nMODULE\r\nNAME\r\nDESCRIPTION\r\nloader Downloads and installs the core Dridex modules, including the worker\r\nvnc Provides remote desktop access\r\nnetcheck Checks network connectivity\r\nspammer Spam module\r\nworker\r\nCore component responsible for banking trojan functionality, including keylogging, web\r\ninjects, download and execute second-stage payloads, etc.\r\ntrendmicro Whitelists Dridex modules from TrendMicro antivirus detection\r\nwp_decrypt BitPaymer decryption tool\r\nTable 1. Dridex Modules Sharing the Same PDB Path Prefix\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 4 of 14\n\nAnti-Analysis\r\nBoth variants of the BitPaymer malware feature multiple techniques to hinder analysis. The malware developers\r\nhave employed a combination of encrypted strings, string hashes and dynamic API resolution to ensure that no\r\nstrings exist in the binary.\r\nEncrypted Strings Table\r\nThe BitPaymer malware contains a small table of encrypted strings in the rdata section of the binary. These\r\nstrings use standard RC4 encryption in which the first 40 bytes form the RC4 key, and the remaining data contains\r\nthe encrypted strings table. These strings are temporarily decrypted on-demand during runtime. The strings in the\r\ndecrypted strings table are separated by a null byte and are referenced by their order. This string table encryption\r\nmethod is identical to the method used in other Dridex malware, including the 40-byte key length and the position\r\nof the table in the rdata section. The strings table includes, among other strings, the RSA public key used in the\r\nransomware encryption, the ransom note, file extensions and the encryption target flags string.\r\nString Hashes\r\nIn addition to the encrypted strings table, BitPaymer replaces the remaining strings in the binary with hashes and\r\nuses an algorithm to match these hashes with strings that exist on the host. For example, when setting the run key\r\nfor persistence, instead of simply opening the registry key\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run , BitPaymer uses the API RegEnumKeyW\r\nto iterate through all the registry keys, comparing their hash value until the correct key has been located. The\r\nhashing algorithm generates a CRC32 hash of the string, converted to lowercase. This hash is combined with a\r\nDWORD using a simple XOR. This DWORD is different for each build of the malware. This string hashing\r\nalgorithm is identical to the hashing algorithm used in other Dridex modules. The hash algorithm has been\r\nreplicated in Python below.\r\nimport binascii def get_string_hash(string_value, key_dword): crc_hash =\r\nbinascii.crc32(string_value.lowercase()) \u0026 0xffffffff hash_value = crc_hash ^ key_dword return\r\nhash_value\r\nDynamic API Resolution\r\nThe Windows APIs that are used in the malware are resolved dynamically at runtime. For each API, the function\r\nname and DLL name are hashed and stored in the binary. At runtime, when the API is needed, the malware will\r\niterate through all DLLs in the Windows system directory, comparing a hash of their name with a precomputed\r\nDLL hash until it has been located. The malware will then load the DLL and iterate through the export table\r\ncomparing a hash of the API name with the expected hash until it has been located. The hashing algorithm used\r\nfor the API names is the same CRC32 algorithm used for the string hashes. However, when hashing the DLL\r\nnames, BitPaymer converts the strings to uppercase before hashing them. This process is also used in other Dridex\r\nmodules.\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 5 of 14\n\nPersistence\r\nThe older “mode” variant of BitPaymer uses the Windows registry for persistence, while the newer service variant\r\nwill attempt to install itself as a service. If that fails, it will fall back to using the Windows registry.\r\nRegistry Persistence\r\nThe older “mode” variant will first copy itself to either the %USERPROFILE%\\AppData\\Local or the\r\n%USERPROFILE%\\AppData\\LocalLow\r\ndirectory, depending on its process integrity level. Then it will add a new registry value to the registry key\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run with the path to the newly copied malware. The\r\nregistry value name is a randomly generated string between five and fifteen characters, containing upper and\r\nlowercase letters as well as numbers.\r\nWindows Event Viewer UAC Bypass (eventvwr.msc)\r\nWhen the newer service variant of BitPaymer is run, it first determines if it is being executed from an alternate\r\ndata stream. If it is not executed from an alternate data stream, the malware creates a file in the %APPDATA% folder\r\nwith a random file name between three and eight characters long, containing uppercase and lowercase letters as\r\nwell as numbers. It then copies itself to the alternate data stream :bin of the newly created file and creates a new\r\nprocess from the stream. When the malware is executed from the alternate data stream, it checks the process\r\nintegrity level. If it is not running with a level above medium integrity, it attempts to elevate its privileges. To\r\nsuppress the User Access Control (UAC) prompt that normally occurs during privilege elevation, the malware\r\nuses a UAC bypass technique first documented in August 2016. This bypass requires temporarily setting either the\r\nregistry key HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command on Windows 10, or the registry key\r\nHKCU\\Software\\Classes\\mscfile\\shell\\open\\command on Windows 7 to execute the malware. Once the registry\r\nkey is set, the malware launches the Windows event viewer process eventvwr.msc , which will inadvertently\r\nlaunch the malware set in the registry keys with elevated privileges.\r\nHijacked Service Persistence\r\nIf elevated privileges are not obtained, the malware falls back to using the same Windows registry run key as the\r\nolder mode variant for persistence HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run . However, if the\r\nmalware is successful in elevating privileges, it begins to enumerate existing Windows services on the host that\r\nare configured to run as LocalSystem . The malware selects services that are currently not active and ignores\r\nservices that launch the executables svchost.exe and lsass.exe . For each service, the malware attempts to\r\ntake control of the service’s executable — first using icacls.exe with the /reset flag to reset the executable’s\r\npermissions, then using takeown.exe with the /F flag to take ownership of the executable. If this is successful,\r\nthe malware creates a :0 alternate data stream in the executable and copies the executable’s own contents to the\r\nstream. This can be used to restore the executable later. Then the malware replaces the contents of the executable\r\nwith a copy of itself and launches the service. The file modified time of the executable is also artificially changed\r\nto 00:00:00 UTC . The purpose of this time change is so the file can be identified and restored by the decryption\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 6 of 14\n\ntool. Once a service has been successfully hijacked and launched, the malware stops attempting to hijack the\r\nremaining services and exits. If there are no services matching the selection criteria, BitPaymer simply exits and\r\nno files are encrypted\r\nShadow Files Removal\r\nBefore encryption, both variants of BitPaymer attempt to remove the backup shadow files from the host, making it\r\nimpossible to restore encrypted files. This is achieved by launching the vssadmin.exe process with the following\r\ncommand vssadmin.exe Delete Shadows /All /Quiet .\r\nEncryption\r\nThere is a string present in the strings table that works like a configuration flag for the encryption targets of the\r\nmalware. The string may contain a combination of the letters F, R, N, and S. During the encryption process, the\r\nletters in this flag are checked to determine what drive types to encrypt. The corresponding drive types for each\r\nletter are described below in Table 2. All BitPaymer samples analyzed by Falcon Intelligence had all four flags\r\nenabled for maximum encryption.\r\nLETTER DESCRIPTION\r\nF Encrypt fixed drives\r\nR Encrypt removable drives\r\nN Encrypt network drives (mounted)\r\nS Search for network shares on the domain / workgroup and encrypt them\r\nTable 2. BitPaymer Drive Type Configuration String\r\nNetwork Share Encryption\r\nIn order to encrypt network shares, BitPaymer will attempt to enumerate the sessions for each user logged onto the\r\ninfected host and create a new process, using the token of each user. These new processes will first spawn a\r\nnet.exe processing with the view argument to gather a list of network accessible hosts. For each host,\r\nBitPaymer spawns another net.exe process with command net view \u003chost\u003e using the newly discovered host\r\nas a parameter. This will return a list of network shares available to the impersonated user on the host. Once a list\r\nof all available shares has been gathered, BitPaymer attempts to mount them to be encrypted.\r\nEncryption Routine\r\nFor each drive targeted, the malware recursively iterates through all files and directories. For each file, the name\r\nand path are compared against a list of excluded filenames and two lists of excluded directory names. These\r\nexclusion lists are composed of regular expression type strings that are located in the encrypted strings table. If the\r\nfile name and path do not match any regular expressions in the exclusion lists, the file is encrypted. The file\r\nencryption algorithm imports a hard-coded RSA 1024-bit public key from the encrypted strings table using\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 7 of 14\n\nCryptImportPublicKeyInfo , and for each file, generates a 128-bit RC4 key using CryptGenKey . The RC4 key\r\nis then used to encrypt the file in place. Once it is encrypted, the file is moved to a new file with the same name,\r\nand the file extension is appended with the keyword .locked . The RC4 key is exported as a SIMPLEBLOB\r\nencrypted with the RSA key and Base64-encoded. A second file is created with the same name as the encrypted\r\nfile, except it is appended with the extension .readme_txt . A ransom note is written to this file, and the RSA-encrypted, Base64-encoded RC4 key is appended to this file along with the KEY: string. An example of the\r\nransom note with the appended key is shown in Figure 3.\r\nFigure 3. BitPaymer Ransom Note with Encrypted RC4 Key\r\nBecause the key is not appended to the encrypted file but instead written to a separate file, if the file containing the\r\nransom note is accidentally deleted or moved to a separate directory, the encrypted file will become\r\nunrecoverable. There is some indication that this may have occurred in the past, as newer ransom notes include\r\nspecific warnings about touching the readme_txt files, while older versions of the ransom notes do not. The text\r\nfrom a newer ransom note is provided below in Figure 4.\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 8 of 14\n\nFigure 4. Newer Version of BitPaymer Ransom Note\r\nThe language in the ransom notes indicate that this ransomware is targeted specifically at companies, not\r\nindividuals. The notes also contain a threat to leak private information that has been collected from the target if the\r\nransom is not paid. Though there is no functionality to collect this information in the ransomware itself, the\r\nransomware is deployed by INDRIK SPIDER in parallel with Dridex malware, and the Dridex malware contains\r\nmodules that may be used to collect information from infected hosts. The use of an embedded RSA public key\r\nalso indicates that each build of the ransomware binary is unique to a specific target. By design, the decryption\r\ntool needs to contain the corresponding RSA private key so if the same build is used for multiple targets, the\r\nransom would only need to be paid once to acquire the private key, which could then be used to decrypt all the\r\ninfections. Falcon Intelligence has acquired multiple decryption tools related to BitPaymer, which confirm the\r\ntheory that a unique key is used for each infection.\r\nRansom Note and Decryption Process\r\nInformation provided in Bitpaymer ransom notes has continued to change, with the first change coming shortly\r\nafter the first identified campaign in July 2017. Initially INDRIK SPIDER provided all required information in\r\neither the ransom note or through a TOR-based payment portal, meaning the victim could make the payment with\r\nvery little interaction with the actor. However, later notes removed this key information forcing the victims to\r\nemail the INDRIK SPIDER campaign operator for payment and decryption details. A table of observed ransom\r\nnote changes can be seen below.\r\nTable 3. BitPaymer Ransom Note Changes\r\nBy removing the ransom demand from the note, INDRIK SPIDER can change the amount based on campaign\r\nsuccess, which likely depends on the size of the organization and the speed of initial contact from the victim.\r\nEmail Support for Decryption\r\nUnlike many ransomware operations, which usually just require victims to make the payment and subsequently\r\ndownload a decryptor, INDRIK SPIDER requires the victim to engage in communication with an operator. Falcon\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 9 of 14\n\nIntelligence has had unique insight into the email dialogue between a victim and an INDRIK SPIDER operator.\r\nThis dialogue has revealed details about how the adversary approaches payment negotiation with the victim, as\r\nwell as the communication of decryption instructions. Initial victim communication with the INDRIK SPIDER\r\noperator, using one of the email addresses provided, results in the operator providing key pieces of information up\r\nfront, such as the BTC address and the ransom amount. INDRIK SPIDER is also willing to demonstrate\r\ndecryption legitimacy by offering to decrypt two test files of the victim’s choice. It was made clear during\r\ncommunications that INDRIK SPIDER is not willing to negotiate on the ransom amount, explicitly stating that the\r\nvictim can use multiple Bitcoin exchanges to obtain the number of BTC required, and the exchange rate should be\r\ncalculated based on the rate posted on the cryptocurrency exchange Bittrex. Ransom demands have varied\r\nbetween requesting an exact USD value in BTC and an exact number of BTC, which is likely due to the continued\r\nfluctuation in the BTC-to-USD value. In communications with INDRIK SPIDER, the victim is told to use any\r\nBTC exchange from the top 10 and seek help from local information technology (IT) support companies. Of note,\r\nINDRIK SPIDER specifies the geographical location of where the victim should seek help, confirming that they\r\nknow key information about the victim. Once payment has been made, INDRIK SPIDER acknowledges receipt\r\nand states that the decryptor will be “delivered within a few hours.” Though earlier in the communication process,\r\na one-hour time window for delivery of the decrypter is promised upon receipt of payment, the decryptor was\r\nactually delivered closer to four hours after payment. This discrepancy could be due to the difference in time\r\nzones and working hours of the INDRIK SPIDER operator. INDRIK SPIDER uses file sharing platforms to\r\ndistribute the BitPaymer decryptor. In an extensive email to the victim, the INDRIK SPIDER operator provides a\r\ndecryptor download link, decryptor deletion link (to be used following decryptor download) and a password. The\r\nsame email also provides clear instructions on how to download and use the BitPaymer decryptor, including how\r\nto remove the malware persistence. The operator also states that they will be able to provide assistance using the\r\nsame email address for a further period of time, which is usually until the end of the current work week.\r\nInterestingly, INDRIK SPIDER provides the victim with several key security recommendations to follow that may\r\nultimately avoid further breaches (see Figure 5).\r\nThe recommendations provided are not only good advice, but also provide indications of how INDRIK SPIDER\r\nbreaches organizations and moves laterally until domain controller access is gained.\r\nFigure 5. BitPaymer Security Recommendations\r\nRansom Payments\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 10 of 14\n\nRansom demands have varied significantly, suggesting that INDRIK SPIDER likely calculates the ransom amount\r\nbased on the size and value of the victim organization. The lowest identified payment was for approximately\r\n$10,000 USD, and the highest observed was for close to $200,000 USD.\r\nBTC Address Total Received in USD\r\n12AWdHJkwF193ud21XWGontyCJTW6A9i6p $197,596.05\r\n1Ln9RxSRuDqqFhCTuqBPBKRMeyhVhRaUG4 $0\r\n1BWj247jtipKr1wuFciKypeidZVwZWHCi9 $77,651.59\r\n19aF868XPJhNqheXWgvrHPqnXpwhttf3Hw $173,315.48\r\n14uAWnPnhtrXDB9DTBCruToawM65dUgwot $740,752.71\r\n1PNmBWJHzJGqTUemastR7E4ccrUNASktmZ $172,793.80\r\n1DWbPyjmbKA1NFqv3nyL47y9Vsz6WFU4Hw $192,867.22\r\nTable 4. BitPaymer BTC Addresses and Identified Payment Totals\r\nAs of Nov. 1, 2018, Falcon Intelligence had observed a total of 185.7 BTC paid to INDRIK-SPIDER-controlled\r\nBTC addresses, with a USD total of $1,554,977 based on BTC-to-USD value at the time the ransom payment was\r\nmade.\r\nHow CrowdStrike Falcon® Prevent Stops BitPaymer\r\nThe process tree for BitPaymer, as seen by the Falcon sensor, is shown below in Figure 6. To prevent BitPaymer\r\nfrom encrypting files on the host, Falcon Prevent™\r\nnext-generation antivirus must kill the ransomware process (KX9OGR~1:BIN) prior to execution of the file\r\nencryption routines.\r\nFigure 6. BitPaymer Process Tree\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 11 of 14\n\nFalcon Prevent provides two layers of defense to protect against ransomware threats like BitPaymer: indicators of\r\nattack (IOAs) and machine learning (ML). Either one of these defenses is enough to stop the BitPaymer process\r\nbefore it can encrypt any files. Figure 7 below shows an example of an IOA prevention alert that is sent to the\r\ncentralized Falcon console. In this case, BitPaymer’s attempt to delete the backup shadow files triggered the IOA\r\nthat led to the prevention of this process. Had a prevention not existed for this IOA, BitPaymer would still have\r\nbeen prevented with CrowdStrike Falcon®’s ML. Below, Figure 7 shows CrowdStrike ML detecting the\r\nBitPaymer binary as malicious.\r\nFigure 7. BitPaymer Prevented by Falcon Prevent\r\nHad a prevention not existed for this IOA, BitPaymer would still have been prevented with CrowdStrike\r\nFalcon®’s ML capabilities. Below, Figure 8 shows CrowdStrike ML detecting the BitPaymer binary as malicious.\r\nFigure 8. BitPaymer Detected by CrowdStrike Machine Learning\r\nThe Future of INDRIK SPIDER and Big Game Hunting\r\nINDRIK SPIDER consists of experienced malware developers and operators who have likely been part of the\r\ngroup since the early days of Dridex operations, beginning in June 2014. The formation of the group and the\r\nmodus operandi changed significantly in early 2017. Dridex operations became more targeted, resulting in less\r\ndistribution and Dridex sub-botnets in operation, and BitPaymer ransomware operations began in July 2017. There\r\nis no doubt that BitPaymer ransomware operations are proving successful for this criminal group, with an average\r\nestimate take of over $200,000 USD per victim, but it is also important to remember that INDRIK SPIDER\r\ncontinues to operate the Dridex banking trojan. Though Dridex is still bringing in criminal revenue for the actor\r\nafter almost four years of operation, targeted wire fraud operations likely require lengthy planning. Therefore, a\r\nransomware operation provides high-value income for the actor for a lot less expenditure, both in operator and\r\ndevelopment costs. Falcon Intelligence anticipates that INDRIK SPIDER will continue to operate both Dridex and\r\nBitPaymer, with the two monetization strategies complementing each other. In scenarios where wire fraud is not\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 12 of 14\n\nas lucrative an option, INDRIK SPIDER might use ransomware to monetize the compromise instead. What is\r\nclear though, is that the low-scale, selective targeting and high payout tactics of big\r\ngame hunting is proving to be a winning strategy for INDRIK SPIDER. INDRIK SPIDER isn’t the only criminal\r\nactor running big game hunting operations; The first ransomware to stake a claim for big game hunting was Samas\r\n(aka SamSam), which is developed and operated by BOSS SPIDER. Since they were first identified in January 2-\r\n16, this adversary has consistently targeted large organizations for high ransom demands. In July 2017, INDRIK\r\nSPIDER joined the movement of targeted ransomware with BitPaymer. Most recently, the ransomware known as\r\nRyuk came to market in August 2017 and has netted its operators, tracked by Falcon Intelligence as GRIM\r\nSPIDER, a significant (and immediate) profit in campaigns also targeting large organizations. Falcon Intelligence\r\nanticipates that big game hunting operations will continue to grow. The criminal actors INDRIK SPIDER, BOSS\r\nSPIDER, and GRIM SPIDER will sustain their operations in the near-term. It is also likely that other criminal\r\nactors are considering the option of running sophisticated ransomware operations. Given the tools, skilled\r\ncampaign operators and malware required, it is likely there will still be only a handful of criminal groups able to\r\ndo so in the near future; however, Falcon Intelligence considers this to be a growing eCrime threat.\r\nIndicators\r\nThe following table contains SHA256 hashes for BitPaymer samples analyzed by Falcon Intelligence.\r\nSHA256 Hash Build Time (UTC)\r\nc7f8c6e833243519cdc8dd327942d62a627fe9c0793d899448938a3f10149481 2017-10-22 07:48:04\r\n17526923258ff290ff5ca553248b5952a65373564731a2b8a0cff10e56c293a4 2017-06-08 14:20:38\r\n282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636 2017-06-30 09:33:52\r\n8943356b0288b9463e96d6d0f4f24db068ea47617299071e6124028a8160db9c 2018-01-26 14:43:27\r\nThe following table contains SHA256 hashes for unpacked BitPaymer decryptor samples analyzed by Falcon\r\nIntelligence.\r\nSHA256 Hash Build Time (UTC)\r\nf0e600bdca5c6a5eae155cc82aad718fe68d7571b7c106774b4c731baa01a50c 2017-06-07 15:08:59\r\nb44e61de54b97c0492babbf8c56fad0c1f03cb2b839bad8c1c8d3bcd0591a010 2017-08-02 15:40:03\r\n13209680c091e180ed1d9a87090be9c10876db403c40638a24b5bc893fd87587 2017-11-07 14:40:50\r\nThe following table contains SHA256 hashes for Dridex samples deployed during the initial stages of a BitPaymer\r\ncompromise.\r\nSHA256 Hash Build Time (UTC)\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 13 of 14\n\n91c0c6ab8a1fe428958f33da590bdd52baec868c7011461da8a8972c3d989d42 2018-05-01 14:43:04\r\nf1d69b69f53af9ea83fe8281e5c1745737fd42977597491f942755088c994d8e 2018-05-01 00:35:47\r\n39e7a9b0ea00316b232b3d0f8c511498ca5b6aee95abad0c3f1275ef029a0bef 2018-02-18 12:38:40\r\nLearn More:\r\nFor more information on how to incorporate intelligence on threat actors like INDRIK SPIDER into your\r\nsecurity strategy, please visit the Falcon Intelligence product page\r\nDownload the CrowdStrike 2020 Global Threat Report\r\nLearn more about CrowdStrike’s next-gen AV solution\r\nTest Falcon Prevent for yourself with a free 15-day trial today\r\nSource: https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ran\r\nsomware/\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" ], "report_names": [ "big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "8492b1a0-126f-4113-b8f7-101d28559629", "created_at": "2023-01-06T13:46:38.864213Z", "updated_at": "2026-04-10T02:00:03.126178Z", "deleted_at": null, "main_name": "GRIM SPIDER", "aliases": [ "GOLD ULRICK" ], "source_name": "MISPGALAXY:GRIM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4116df25-aff6-46ee-a5dd-926254a78e89", "created_at": "2023-01-06T13:46:38.894033Z", "updated_at": "2026-04-10T02:00:03.137353Z", "deleted_at": null, "main_name": "BOSS SPIDER", "aliases": [ "GOLD LOWELL" ], "source_name": "MISPGALAXY:BOSS SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "1b20199b-07ae-42f1-ad22-bbe2dd471df8", "created_at": "2024-06-04T02:03:07.872554Z", "updated_at": "2026-04-10T02:00:03.613698Z", "deleted_at": null, "main_name": "GOLD LOWELL", "aliases": [ "Boss Spider ", "CTG-0007 " ], "source_name": "Secureworks:GOLD LOWELL", "tools": [ "Samas" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "eb8697fd-882a-4323-9eb8-8e20222cfd91", "created_at": "2022-10-25T16:07:23.416834Z", "updated_at": "2026-04-10T02:00:04.589943Z", "deleted_at": null, "main_name": "Boss Spider", "aliases": [ "Boss Spider", "CTG-0007", "Gold Lowell" ], "source_name": "ETDA:Boss Spider", "tools": [ "Mimikatz", "PsExec", "SDelete", "SamSam", "Samas" ], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434304, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aeffe23dbc5ed366c413f580fc8f67b1ce72e675.pdf", "text": "https://archive.orkl.eu/aeffe23dbc5ed366c413f580fc8f67b1ce72e675.txt", "img": "https://archive.orkl.eu/aeffe23dbc5ed366c413f580fc8f67b1ce72e675.jpg" } }