Curly Spider
Curly Spider is a Russian-speaking cybercrime group that emerged in 2019 and operates within the ransomware-as-a-service (RaaS) ecosystem. Most well-known for its creation of the Snake (Ekans) ransomware family, the group's activity signifies a major shift in ransomware campaigns, explicitly targeting industrial control systems (ICS). By adopting a double-extortion model, Curly Spider disrupts critical operational technology (OT) environments, demanding payment through encryption and data exposure threats.
Curly Spider
Country of Origin
Members
Leadership
Curly Spider TTPs
Curly Spider employs a range of sophisticated tactics, techniques, and procedures (TTPs) to achieve its financial and disruptive objectives.
Tactics
The group focuses on ransomware deployment to encrypt data and disrupt critical systems, often employing a double-extortion strategy. Besides financial gains, its impact on industrial and critical infrastructure highlights the potential for collateral damage to national security sectors.
Techniques
To gain initial access, Curly Spider exploits exposed services such as remote desktop protocol (RDP) and virtual private networks (VPNs). Additionally, phishing campaigns and access purchased from brokers are often used. Post-exploitation, the Snake malware is manually deployed, with credential dumping, Active Directory compromises, and “living-off-the-land” binaries (e.g., PsExec, WMI) aiding lateral movement.
Procedures
Their ransomware, Snake/Ekans, appends encrypted files with extensions like .EKANS or .SNAKE, while simultaneously targeting ICS processes. These disruptions are achieved through custom scripts and a predetermined “kill list” of industrial software processes, a method designed to disable SCADA environments before encryption.
Want to Shut Down Threats Before They Start?
Indicators of Compromise (IoCs)
Key IoCs related to Curly Spider operations include malicious IP addresses, Snake ransomware file signatures, and phishing domains. Their use of well-known tools like Cobalt Strike also serves as a critical indicator during investigations.
Key Victims
Curly Spider’s targets primarily span industries such as energy, manufacturing, and critical infrastructure. Secondary victims include healthcare providers and enterprises across North America and Europe.
Notable Cyberattacks
State organizations in Moldova and Georgia were attacked in the first half of 2025, researchers believed this was driven by Curly Attack as the attack was similar in who they target and the reference to tools. However, this isn’t confirmed.
Law Enforcement & Arrests
To date, there have been no documented arrests or direct law enforcement actions tied to Curly Spider’s operators. The group’s ICS-specific focus has, however, been a focal subject of global cybersecurity discussions.
How to Defend Against Curly Spider
Patch and secure exposed services like RDP and VPNs to prevent exploitation
Separate IT and OT networks to limit lateral movement.
Monitor tools such as PsExec, WMI, and Cobalt Strike for signs of malicious activity.
Establish offline or immutable backups for both IT and OT systems.
Implement ICS monitoring to detect any unauthorized process/service interruptions.
Incorporate ransomware tabletop exercises, including ICS/OT scenarios, into incident response preparation.
See how Huntress Threat Hunters discovered a suspicious-looking run key on a victim system. They encountered Cobalt Strike malware hidden across almost 700 registry values.
