G0119: Indrik Spider
Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.[1][2][3]
Analyst context for executives and security teams
Indrik Spider matters because the ATT&CK record ties the group to a progression from banking malware to targeted ransomware operations and a diversified toolset after sanctions and indictment. For leaders, the practical issue is not the group name alone; it is whether the organization can detect and contain the behaviors commonly associated with financially motivated intrusion operations: credential theft, valid-account abuse, remote execution, lateral movement, tool transfer, staging, and ransomware-enabling activity.
Executive priority
Prioritize this as an operational resilience and incident-readiness problem. The supplied relationships point to Windows-heavy credential and lateral-movement tradecraft, plus cross-platform post-exploitation tooling. Executives should ask whether identity controls, privileged access monitoring, endpoint visibility, remote access governance, and ransomware response playbooks are validated with evidence—not assumed. The sanctions-related references also make legal, compliance, and payment decision workflows relevant during ransomware response, but local counsel and incident-specific facts are required.
Technical view
ATT&CK does not provide an official detection section for this group, so coverage should be validated from the related software and techniques. Focus on credential access to LSASS, use of Mimikatz, valid domain account abuse, RDP and SSH lateral movement, PsExec and WMI execution, PowerShell/cmd/JavaScript execution, registry query or modification, remote system and service discovery, ingress tool transfer, local data staging, and use of post-exploitation frameworks such as Cobalt Strike, Empire, and Donut-generated payloads. Treat legitimate admin tools like PsExec, WMI, RDP, SSH, and PowerShell as high-context detections: the value comes from correlating identity, host, process, network, and administrative-change telemetry.
Likely telemetry
- Endpoint process creation and command-line logging for PowerShell, cmd, WMI, PsExec-style execution, registry utilities, and scripting engines
- Windows security events and authentication logs for domain account use, privileged logons, RDP sessions, and unusual lateral movement
- EDR memory-access telemetry and alerts related to LSASS access or credential dumping behavior
- Registry query and modification events on Windows hosts
- Network telemetry for remote service use, tool transfer, command-and-control-like connections, and internal discovery patterns
Detection direction
- Validate detections across behavior chains, not just malware names: credential access followed by valid-account use, remote execution, discovery, tool transfer, staging, and ransomware precursor activity should raise priority.
- Tune detections for legitimate administration tools. PsExec, WMI, PowerShell, RDP, SSH, and registry utilities are common in normal operations, so baselines for administrators, servers, maintenance windows, and approved tooling are essential.
- Confirm visibility into LSASS access and credential dumping attempts, including whether endpoint controls generate usable evidence before credentials are reused.
- Correlate identity events with endpoint and network telemetry to identify domain account abuse and lateral movement that may not look malicious in a single log source.
- Hunt for post-exploitation framework indicators and behaviors associated with Cobalt Strike, Empire, and in-memory payload loading, while avoiding reliance on static indicators alone.
Mitigation priorities
- Start with identity hardening: reduce standing privilege, protect domain accounts, enforce strong authentication for remote access, and monitor privileged account use.
- Harden credential theft paths by limiting local administrator exposure, protecting LSASS where feasible, and reviewing credential caching and administrative workstation practices.
- Constrain lateral movement by limiting RDP, SSH, WMI, and PsExec-style access to approved administrative sources and documented use cases.
- Improve endpoint and server logging before an incident: process command lines, script logging, registry activity, authentication events, and file staging evidence should be retained long enough for investigation.
- Prepare ransomware response decisions in advance, including isolation authority, backup validation, legal/compliance escalation, and sanctions-aware payment governance.
Analyst notes and limits
The group aliases supplied include Indrik Spider, Evil Corp, Manatee Tempest, DEV-0243, and UNC2165. The official description states the group is Russia-based, active since at least 2014, associated with Dridex and later ransomware operations including BitPaymer, WastedLocker, and Hades, and that it changed tactics and diversified tooling after U.S. sanctions and a 2019 indictment. Relationship context supplies the main basis for defensive prioritization.
The group object has no official ATT&CK detection text, no group-level platforms or tactics specified, and the relationship descriptions are partial summaries. This take does not establish current activity, customer exposure, or guaranteed detection. Local telemetry, asset scope, identity architecture, and incident evidence are required to determine risk and coverage.
Indrik Spider
Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.CitationSymantec WastedLocker June 2020 |
| Enterprise | T1587.001 | Malware Sub-technique | Indrik Spider has developed malware for their operations, including ransomware such as BitPaymer and WastedLocker.CitationCrowdstrike Indrik November 2018 |
| Enterprise | T1136 | Create Account | Indrik Spider used |
| Enterprise | T1112 | Modify Registry | Indrik Spider has modified registry keys to prepare for ransomware execution and to disable common administrative utilities.CitationMandiant_UNC2165 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.CitationCrowdstrike Indrik November 2018 |
| Enterprise | T1007 | System Service Discovery | Indrik Spider has used the win32_service WMI class to retrieve a list of services from the system.CitationSymantec WastedLocker June 2020 |
| Enterprise | T1583 | Acquire Infrastructure | Indrik Spider has purchased access to victim VPNs to facilitate access to victim environments.CitationMandiant_UNC2165 |
| Enterprise | T1685 | Disable or Modify Tools | Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.CitationSymantec WastedLocker June 2020 Indrik Spider has used `MpCmdRun` to revert the definitions in Microsoft Defender.CitationMandiant_UNC2165 Additionally, Indrik Spider has used WMI to stop or uninstall and reset anti-virus products and other defensive services.CitationMandiant_UNC2165 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Indrik Spider has stored collected data in a .tmp file.CitationSymantec WastedLocker June 2020 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Indrik Spider has used RDP for lateral movement.CitationMandiant_UNC2165 |
| Enterprise | T1555.005 | Password Managers Sub-technique | Indrik Spider has accessed and exported passwords from password managers.CitationMandiant_UNC2165 |
| Enterprise | T1590 | Gather Victim Network Information | Indrik Spider has downloaded tools, such as the Advanced Port Scanner utility and Lansweeper, to conduct internal reconnaissance of the victim network. Indrik Spider has also accessed the victim’s VMware VCenter, which had information about host configuration, clusters, etc.CitationMandiant_UNC2165 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Indrik Spider has used PowerShell Empire for execution of malware.CitationCrowdstrike Indrik November 2018CitationSymantec WastedLocker June 2020 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | Indrik Spider has collected credentials from infected systems, including domain accounts.CitationCrowdstrike Indrik November 2018 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | Indrik Spider has searched files to obtain and exfiltrate credentials.CitationMandiant_UNC2165 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Indrik Spider has exfiltrated data using Rclone or MEGASync prior to deploying ransomware.CitationMandiant_UNC2165 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Indrik Spider has used batch scripts on victim's machines.CitationCrowdstrike Indrik November 2018CitationMandiant_UNC2165 |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | Indrik Spider has used Group Policy Objects to deploy batch scripts.CitationCrowdstrike Indrik November 2018CitationMandiant_UNC2165 |
| Enterprise | T1047 | Windows Management Instrumentation | Indrik Spider has used WMIC to execute commands on remote computers.CitationSymantec WastedLocker June 2020 |
| Enterprise | T1078 | Valid Accounts | Indrik Spider has used valid accounts for initial access and lateral movement.CitationMandiant_UNC2165 Indrik Spider has also maintained access to the victim environment through the VPN infrastructure.CitationMandiant_UNC2165 |
| Enterprise | T1486 | Data Encrypted for Impact | Indrik Spider has encrypted domain-controlled systems using BitPaymer.CitationCrowdstrike Indrik November 2018 Additionally, Indrik Spider used PsExec to execute a ransomware script.CitationMandiant_UNC2165 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Indrik Spider has used Cobalt Strike to empty log files.CitationSymantec WastedLocker June 2020 Additionally, Indrik Spider has cleared all event logs using `wevutil`.CitationMandiant_UNC2165 |
| Enterprise | T1136.001 | Local Account Sub-technique | Indrik Spider has created local system accounts and has added the accounts to privileged groups.CitationMandiant_UNC2165 |
| Enterprise | T1018 | Remote System Discovery | Indrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database.CitationSymantec WastedLocker June 2020 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Indrik Spider has used malicious JavaScript files for several components of their attack.CitationSymantec WastedLocker June 2020 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | Indrik Spider has created email accounts to communicate with their ransomware victims, to include providing payment and decryption details.CitationCrowdstrike Indrik November 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.CitationCrowdstrike Indrik November 2018CitationSymantec WastedLocker June 2020CitationMandiant_UNC2165 |
| Enterprise | T1489 | Service Stop | Indrik Spider has used PsExec to stop services prior to the execution of ransomware.CitationSymantec WastedLocker June 2020 |
| Enterprise | T1012 | Query Registry | Indrik Spider has used a service account to extract copies of the `Security` Registry hive.CitationMandiant_UNC2165 |
| Enterprise | T1558.003 | Kerberoasting Sub-technique | Indrik Spider has conducted Kerberoasting attacks using a module from GitHub.CitationMandiant_UNC2165 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Indrik Spider has attempted to get users to click on a malicious zipped file.CitationSymantec WastedLocker June 2020 |
| Enterprise | T1021.004 | SSH Sub-technique | Indrik Spider has used SSH for lateral movement.CitationMandiant_UNC2165 |
| Enterprise | T1584.004 | Server Sub-technique | Indrik Spider has served fake updates via legitimate websites that have been compromised.CitationCrowdstrike Indrik November 2018 |
Groups, software, and campaigns
S0695: Donut
S0002: Mimikatz
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
S0029: PsExec
S0384: Dridex
Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).[1][2][3]
S0612: WastedLocker
WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.[1][2][3]
S0570: BitPaymer
BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.[1]
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 4.1 | Current bundle | a678d30f1382… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Crowdstrike Indrik November 2018
Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
Open source URL -
[2]
Crowdstrike EvilCorp March 2021
Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
Open source URL -
[3]
Treasury EvilCorp Dec 2019
U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.
Open source URL -
[4]
DEV-0243
(Citation: Microsoft Threat Actor Naming July 2023)
-
[5]
Evil Corp
(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)
-
[6]
Manatee Tempest
(Citation: Microsoft Threat Actor Naming July 2023)
-
[7]
Mandiant_UNC2165
Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
Open source URL -
[8]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[9]
UNC2165
(Citation: Mandiant_UNC2165)
-
[10]
mitre-attack G0119Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.