Don't let cyberattacks disrupt your workflow. See what's at risk.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
HomeThreat LibraryThreat Actors
Wandering Spider
Threat Actor Profile

Wandering Spider

Wandering Spider, active since at least April 2020, is a notorious Big Game Hunting (BGH) adversary. Known for their use of a variety of ransomware families, this group has been linked to sophisticated attacks targeting organizations of all sizes. Their notable tools include Black Basta, DoppelPaymer, and REvil, among others.

Threat Actor Profile

Wandering Spider

Country of Origin

Attribution to the Russian Federation is based on various intelligence assessments, including observed operational patterns, the linguistic characteristics of their communications, and the geographical focus of their early attacks.

Members

The size and identities of Wandering Spider members persist as unknown. The nature of their operations indicates a highly organized and possibly distributed group.

Leadership

Details regarding the specific leadership within Wandering Spider remain unclear. The structure of the group suggests collaboration with other ransomware affiliates or developers.

Wandering Spider TTPs

Wandering Spider employs advanced tactics, techniques, and procedures (TTPs) designed to maximize impact and revenue from their campaigns.

Tactics

  • Targeting businesses with high-value operations to demand large-scale ransoms (Big Game Hunting).

  • Gaining initial access through phishing campaigns aimed at exploiting user credentials.

Techniques

  • Delivering malware via email attachments or links persuading victims to execute malicious payloads.

  • Leveraging known vulnerabilities in networks to escalate access and deploy ransomware.

Procedures

  • Using tools like Black Basta to encrypt systems and display ransom notes.

  • Disabling security measures to prevent detection and remediation.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Indicators of Compromise (IoCs)

  • Suspicious file extension changes tied to ransomware encryption.

  • Anomalous network traffic to external servers via VPNs associated with known threat actor IPs.

  • Use of tools and techniques linked to ransomware families like DoppelPaymer and REvil.

Key Victims

While exact victim details are sparse, Wandering Spider typically targets industries such as financial services, healthcare, manufacturing, and logistics, where downtime incurs substantial costs.

Notable Cyberattacks

Operations involving the use of Black Basta ransomware since April 2022.

Historical deployment of ransomware like Egregor and Maze, notorious for their data exfiltration techniques.

Law Enforcement & Arrests

There are no confirmed arrests or law enforcement actions against Wandering Spider to date. Their operations suggest a highly adaptive and evasive adversarial network.

Glitch effectGlitch effect

How to Defend Against Wandering Spider

1

Enhanced email security to filter and block phishing attempts.

2

Regular patch management to address vulnerabilities before they’re exploited.

3

Network segmentation to limit the lateral movement during an attack.

4

Using a 24/7 managed detection platform, like the Huntress Managed Security Platform, to identify and respond to threats before they escalate.

Huntress solutions provide tailored tools to monitor and mitigate threats, enhance endpoint security, and reduce the likelihood of ransomware infiltrating your environment.

References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free