{ "id": "83fbfae3-2d56-4a2d-a735-dd4e54c42604", "created_at": "2026-04-06T00:18:25.727565Z", "updated_at": "2026-04-10T03:36:11.242309Z", "deleted_at": null, "sha1_hash": "f23f9a480c5cdd7c79dd78ef6536520d24cf0551", "title": "Sprite Spider emerging as one of the most destructive ransomware threat actors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46547, "plain_text": "Sprite Spider emerging as one of the most destructive ransomware\r\nthreat actors\r\nBy by Cynthia Brumfield Contributing Writer\r\nPublished: 2021-02-01 · Archived: 2026-04-05 14:33:38 UTC\r\nHaving flown under the radar for several years, the Sprite Spider group is using a\r\nransomware code suite that is effective and hard to detect.\r\nAt the recent SANS Cyber Threat Intelligence Summit, two CrowdStrike cybersecurity leads, Senior Security\r\nResearcher Sergei Frankoff and Senior Intelligence Analyst Eric Loui, offered details on an emerging major\r\nransomware actor they call Sprite Spider. Like many other ransomware attackers, the gang behind Sprite Spider’s\r\nattacks has grown rapidly in sophistication and damage capacity since 2015. (CrowdStrike’s research was echoed\r\nin a lengthy report from Palo Alto Network’s Unit 42 in November 2020.)\r\nToday Sprite Spider is poised to become one of the biggest ransomware threat actors of 2021 and has a threat\r\nprofile on par with what advanced persistent threat actors were five or ten years ago. Sprite Spider’s rise as a\r\nsophisticated threat is not surprising given that it, like many other organized ransomware gangs are filled with\r\nhackers who are often gainfully employed by nation-state threat actors.\r\nSprite Spider evolution\r\nSprite Spider got its start using a banking Trojan called Shifu in 2015, adding a malware loader called Vatet\r\naround 2017. In 2018, the gang deployed a remote access Trojan called PyXie. In 2019, the group evolved to the\r\npoint where it deployed ransomware called DEFRAY777.\r\nAt this point, CrowdStrike researchers tied Shifu, Vatet, and PyXie to the DEFRAY777 ransomware attacks. They\r\nrealized that all the activity from these components was tied to a single threat actor, which had been flying under\r\nthe radar.\r\nHow the Sprite Spider ransomware works\r\nThe gang can often escape detection primarily because its code looks benign, hiding in open-source projects such\r\nas Notepad++. The only thing Sprite Spider writes to disk is Vatet, making it even harder for analysts to track\r\nthem during incident response.\r\nDespite its stealth and multiple components, Sprite Spider displays some mundane characteristics. DEFRAY777 is\r\nnot sophisticated ransomware, but it gets the job done. Sprite Spider was also somewhat late to the dedicated leak\r\nsite game, waiting until late November 2020 to launch its own site for communicating with victims, months after\r\nother ransomware actors began launching these sites.\r\nhttps://www.csoonline.com/article/3604599/sprite-spider-emerging-as-one-of-the-most-destructive-ransomware-threat-actors.html\r\nPage 1 of 3\n\nThe real threat from Sprite Spider escalated in July 2020 when it began targeting ESXi hosts, which are typically\r\ndeployed by large organizations that use bare-metal hypervisor technology developed by VMware to manage\r\nmultiple virtual machines. DEFRAY777 deployed on ESXi hosts uses stolen credentials to authenticate to\r\nvCenter, which is the web interface for managing multiple ESXi devices and websites hosted on those devices.\r\nAfter that, the attackers log in, enable SSH, change SSH keys or root passwords, kill running processes and launch\r\nother tasks that lead to executing the binary in the TMP directory, encrypting all virtual machines and their hosts.\r\nShortly after Sprite Spider began targeting ESXi hosts, another threat group called Carbon Spider also began\r\nindependently targeting ESXi machines.\r\nBy targeting EXSi machines, Sprite Spider doesn’t have to deploy ransomware throughout the whole\r\norganizational environment—they have to target only a few servers to encrypt a wide swath of virtualized IT\r\ninfrastructure. “This is emblematic of a larger trend in the ecrime ecosystem, where some of the larger ecrime\r\nadversaries have largely shifted their operations away from banking fraud to these targeted ransomware\r\noperations,” CrowdStrike’s Loui said.\r\nCommodity malware infections are precursors to ransomware attacks\r\nMalware that was initially used as a banking Trojan has morphed into initial access tools. “Wizard Spider uses\r\nTrickBot as its initial access tool to deploy Ryuk and Conti ransomware. Indrik Spider uses Dridex for BitPaymer\r\nor WastedLocker, and Carbon Spider uses Sekur/Anunak for REvil or Darkside,” Loui said. “I want to emphasize\r\nfor those of you who are interfacing with CISOs or the C-suite directly, infections by so-called commodity tools or\r\nTrojans or downloaders can lead to major ransomware attacks. If you have an Emotet problem, you’re probably\r\ngoing to have a Trickbot problem. If you have a Trickbot problem, you are going to have a Ryuk or a Conti\r\nproblem.”\r\nTime is of the essence after detecting the commodity tools. “If you can’t detect, respond and remediate within an\r\nhour, there’s no way you’re going to be able to catch up,” Loui said.  “So, you have to treat those potentially\r\nserious infections even if they’re so-called commodity tools.”\r\nSprite Spider kill chain comparable to nation-states ten years ago\r\nThe kill chain of Sprite Spider and some of the other emerging major ransomware groups looks a lot like the early\r\ndays of how nation-state actors behaved. “It’s actually almost identical to the same kill chain threat that we were\r\ndealing with ten years ago with advanced persistent threat groups,” Frankoff said. “It’s the same steps taken, but\r\nthe objective at the end is different.”\r\n“I think we’ve seen a number of nation-states engage in these types of attacks to generate revenue, specifically\r\nNorth Korea,” CrowdStrike’s senior vice president of intelligence Adam Meyers tells CSO. He says that Iran and\r\nChina are also getting in on the ransomware game. “It’s not necessarily the nation-state that is conducting the\r\nattack, but [the cybercriminals] are using the skills they learned [by working for nation-state attackers] to make a\r\nlittle extra money on the side. The individuals engaged by the nation-state are conducting ransomware attacks on a\r\nmoonlight shift.”\r\nhttps://www.csoonline.com/article/3604599/sprite-spider-emerging-as-one-of-the-most-destructive-ransomware-threat-actors.html\r\nPage 2 of 3\n\nGrowing ransomware sophistication requires robust defenses\r\nWhatever the case may be, ransomware attackers are growing more sophisticated and powerful all the time. “In\r\n2020 it was clear that the sophistication and targeted use of ransomware on certain verticals was common practice\r\nby threat actors,” Mark Ostrowski, head of Engineering East for Check Point Software, tells CSO. “Clear\r\nevidence of this were attacks targeting healthcare and education networks and entities. In 2021, we can expect this\r\nto continue, and based on early reports, groups like Sprite Spider and others may specifically target interests with\r\nthe biggest return.”\r\nCrowdStrike’s Meyers has five recommendations for how organizations can best defend themselves in the face of\r\never-more destructive ransomware. First, “you need to prepare to defend. You have to do basic table stakes kind of\r\nstuff, things like patching,” he says.\r\nSecond, follow the one-ten-sixty rule. “You need to be able to identify things within about a minute, investigate it\r\nwithin about ten minutes, and respond to it in about an hour. If you can do that, you may be in a position to keep\r\nthese actors from moving across your enterprise.”\r\nThird, to cope with ransomware’s evolving nature, use next-generation protection because antivirus software does\r\nnot protect against these kinds of novel threats. “Next-gen protection uses something called machine learning or\r\nartificial intelligence. Machine learning really lets you make a determination about malware or files without ever\r\nhaving seen it before,” Meyers says.\r\nFourth, practice is essential.  “I always coach boards and executives to go through routine cadences of tabletop\r\nexercises.”\r\nFinally, know who the adversaries are. “If you understand who your threat actors are, how they operate, then\r\nyou’re in a better position to defend against them moving forward.”\r\nMark Weatherford, chief strategy officer at the National Cybersecurity Center and a former DHS cybersecurity\r\nofficial in the Obama administration, thinks it will take an international effort to address the growing ransomware\r\nscourge. “Until there is more of an international policy discussion, I think we’re going to see these things grow,”\r\nhe tells CSO. “What we need is an international combined effort from nations around the world to say that this is\r\nno longer acceptable.” The multi-national cooperation last week that took down the Emotet infrastructure used to\r\ndeliver ransomware suggests that this is now happening.\r\nSource: https://www.csoonline.com/article/3604599/sprite-spider-emerging-as-one-of-the-most-destructive-ransomware-threat-actors.html\r\nhttps://www.csoonline.com/article/3604599/sprite-spider-emerging-as-one-of-the-most-destructive-ransomware-threat-actors.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.csoonline.com/article/3604599/sprite-spider-emerging-as-one-of-the-most-destructive-ransomware-threat-actors.html" ], "report_names": [ "sprite-spider-emerging-as-one-of-the-most-destructive-ransomware-threat-actors.html" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434705, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f23f9a480c5cdd7c79dd78ef6536520d24cf0551.pdf", "text": "https://archive.orkl.eu/f23f9a480c5cdd7c79dd78ef6536520d24cf0551.txt", "img": "https://archive.orkl.eu/f23f9a480c5cdd7c79dd78ef6536520d24cf0551.jpg" } }