Threat Actor Profile

Indrik Spider

Indrik Spider, also known as Evil Corp, is a highly sophisticated Russian cybercriminal syndicate active since at least 2014. Best known for developing the Dridex banking Trojan and orchestrating large-scale ransomware campaigns, the group has targeted high-profile sectors worldwide, including healthcare and finance, causing severe monetary and operational damages.

Threat Actor Profile

Indrik Spider

Country of Origin

Indrik Spider is based in Russia, with credible evidence linking the group's leadership to Russian nationals. Its operations are believed to either originate from or receive tacit protection within the country, reflecting broader trends in cybercrime originating from the region.

Members

The exact size of the group remains unclear, but it is considered a significant entity within the cybercriminal underground. Aliases like UNC2165, Manatee Tempest, and Evil Corp are widely associated with their team, suggesting a well-organized and skilled operation.

Leadership

The group’s leadership includes Maksim Yakubets, also known as “aqua,” and Igor Turashev. Both individuals have been indicted by the U.S. Department of Justice, with Yakubets under particular scrutiny due to his central role. A $5 million bounty, the largest ever.

Indrik Spider TTPs

Tactics

The group primarily focuses on financial theft through ransomware and banking malware, leveraging sophisticated techniques to target high-value entities ("big-game hunting"). Their goals are monetary gain and large-scale disruption.

Techniques

Indrik Spider employs phishing schemes, advanced persistent threats (APTs), and credential theft to infiltrate systems. Techniques often involve the deployment of malware like Dridex and ransomware variants such as DoppelPaymer, with lateral movement strategies ensuring extensive infiltration before execution.

Procedures

Their methods include initial access through phishing campaigns exploitation of unpatched vulnerabilities, and code signing to evade detection. Once inside, they exfiltrate data, encrypt systems, and execute double-extortion tactics by threatening to leak sensitive information unless the ransom is paid.

Want to Shut Down Threats Before They Start?

Indicators of Compromise (IoCs)

Typical IoCs associated with Indrik Spider’s operations include IPs, domains, and malware payload signatures. Dridex infections, BitPaymer ransom notes, and unusual outbound network traffic (indicating data exfiltration) are hallmarks of their activities.

Key Victims

Notable victims of Indrik Spider include the UK’s National Health Service (NHS) during the 2017 ransomware attack, Funke Mediengruppe, and the University Hospital Düsseldorf, among others. Industries such as healthcare, financial services, and defense have been repeatedly targeted.

Notable Cyberattacks

NHS Ransomware Attack (2017)

Indrik Spider’s BitPaymer ransomware caused widespread outages across the UK National Health Service, delaying patient care and costing millions to mitigate.

Funke Mediengruppe (2020)

The group targeted this major German publishing organization, disrupting operations and leaking sensitive company data.

University Hospital Düsseldorf Attack (2020)

A ransomware incident attributed to Indrik Spider disrupted critical hospital operations, tragically contributing to at least one patient death.

Law Enforcement & Arrests

Ongoing efforts to apprehend key members like Maksim Yakubets highlight the involvement of international law enforcement agencies. The United States Department of Justice has taken significant steps, including issuing indictments and reward offers.

How to Defend Against Indrik Spider

Implement Multi-Factor Authentication (MFA): Protect all accounts, especially administrative ones.

Regularly Update and Patch Systems: Fix known vulnerabilities to prevent exploits.

Security Awareness Training: Educate employees on recognizing phishing and social engineering tactics.

Monitor Network Traffic: Detect abnormal patterns of data exfiltration or lateral movement.

Offline Backup Practices: Safeguard important data in secure, disconnected locations.

Huntress tools and services can provide proactive monitoring and incident response capabilities, equipping organizations to counter Indrik Spider’s threats effectively.

Try Huntress for Free

References

https://attack.mitre.org/groups/G0119/

https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Indrik%20Spider

https://industrialcyber.co/medical/evil-corp-should-be-considered-a-significant-threat-to-health-sector-based-on-several-factors-hc3-discloses/

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free