Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
Threat Actor Profile
Curly Spider
Curly Spider is a Russian-speaking cybercrime group that emerged in 2019 and operates within the ransomware-as-a-service (RaaS) ecosystem. Most well-known for its creation of the Snake (Ekans) ransomware family, the group's activity signifies a major shift in ransomware campaigns, explicitly targeting industrial control systems (ICS). By adopting a double-extortion model, Curly Spider disrupts critical operational technology (OT) environments, demanding payment through encryption and data exposure threats.
Threat Actor Profile
Curly Spider
Country of Origin
Curly Spider is reportedly based in Eastern Europe, attributed to its Russian-speaking operators. While its exact location remains unconfirmed, analysis of communication language and operational patterns strongly supports this assumption. No evidence currently links the group directly to state sponsorship; however, its unique focus on ICS environments has fueled speculation about potential geopolitical motives.
Members
The exact size of Curly Spider is unknown, but its operations suggest a highly specialized team employing a human-operated ransomware model. Industry analysis hints at potential collaborations with access brokers and other cybercrime groups sharing similar techniques and tools.
Leadership
No specific names or aliases associated with Curly Spider’s leadership have been publicly identified. The group operates within the larger ransomware ecosystem, often collaborating with other cybercriminal entities, but its internal hierarchy and decision-making processes remain opaque.
Curly Spider TTPs
Curly Spider employs a range of sophisticated tactics, techniques, and procedures (TTPs) to achieve its financial and disruptive objectives.
Tactics
The group focuses on ransomware deployment to encrypt data and disrupt critical systems, often employing a double-extortion strategy. Besides financial gains, its impact on industrial and critical infrastructure highlights the potential for collateral damage to national security sectors.
Techniques
To gain initial access, Curly Spider exploits exposed services such as remote desktop protocol (RDP) and virtual private networks (VPNs). Additionally, phishing campaigns and access purchased from brokers are often used. Post-exploitation, the Snake malware is manually deployed, with credential dumping, Active Directory compromises, and “living-off-the-land” binaries (e.g., PsExec, WMI) aiding lateral movement.
Procedures
Their ransomware, Snake/Ekans, appends encrypted files with extensions like .EKANS or .SNAKE, while simultaneously targeting ICS processes. These disruptions are achieved through custom scripts and a predetermined “kill list” of industrial software processes, a method designed to disable SCADA environments before encryption.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
State organizations in Moldova and Georgia were attacked in the first half of 2025, researchers believed this was driven by Curly Attack as the attack was similar in who they target and the reference to tools. However, this isn’t confirmed.
Law Enforcement & Arrests
To date, there have been no documented arrests or direct law enforcement actions tied to Curly Spider’s operators. The group’s ICS-specific focus has, however, been a focal subject of global cybersecurity discussions.
How to Defend Against Curly Spider
1
Patch and secure exposed services like RDP and VPNs to prevent exploitation
2
Separate IT and OT networks to limit lateral movement.
3
Monitor tools such as PsExec, WMI, and Cobalt Strike for signs of malicious activity.
4
Establish offline or immutable backups for both IT and OT systems.
5
Implement ICS monitoring to detect any unauthorized process/service interruptions.
6
Incorporate ransomware tabletop exercises, including ICS/OT scenarios, into incident response preparation.
See how Huntress Threat Hunters discovered a suspicious-looking run key on a victim system. They encountered Cobalt Strike malware hidden across almost 700 registry values.
References
