Threat Actor Profile
Frozen Spider
Frozen Spider, also known by aliases such as White Kali, is a criminal ransomware group classified as financially motivated. Active since late 2022, this Ransomware-as-a-Service (RaaS) operation is known for deploying Medusa ransomware to target high-value organizations in what is often referred to as “Big Game Hunting” (BGH). Their double-extortion tactics make them a serious threat to organizations globally.
Threat Actor Profile
Frozen Spider
Country of Origin
The exact origin of Frozen Spider remains unknown. However, given their techniques, infrastructure, and operational trends, they are believed to operate from regions with low law enforcement oversight regarding cybercrime, potentially in Eastern Europe or nearby areas.
Members
The total size of Frozen Spider is not definitively known. Under the RaaS model, affiliates likely handle operations such as initial access and data exfiltration, while core members manage ransomware development, infrastructure, and leak-site media operations. This role-based model indicates a moderately sized but highly specialized group.
Leadership
The specific leadership structure of Frozen Spider is unknown. No public information or named individuals have been tied directly to the group. They are speculated to operate as a decentralized model under the RaaS structure, enabling roles to be distributed among affiliates.
Frozen Spider TTPs
Tactics
Frozen Spider’s main objective is to maximize financial gain by targeting high-value organizations using Medusa ransomware. Their tactics focus heavily on leveraging stolen data and public leaks as extortion tools under the double-extortion model.
Techniques
Frozen Spider relies on phishing attacks, stolen credentials, VPN/RDP exploits, or compromised vendor access to gain initial footholds. Affiliates often use lateral movement across networks to escalate privileges and maximize reach before deploying ransomware.
Procedures
After gaining access, Frozen Spider affiliates exfiltrate data and then deploy Medusa ransomware to encrypt systems. Victims are threatened with public leaks through a known leak site if ransom demands are not met. Their ransomware infrastructure follows a classic RaaS model, allowing for continuous scaling by affiliates.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
One significant attack linked to Frozen Spider involved the breach of a major manufacturing company in 2023, where Medusa ransomware encrypted critical systems, and data exfiltration caused reputational harm after threats of public leaks were issued. Similar operations have been executed on healthcare providers and financial organizations.
Law Enforcement & Arrests
There are no confirmed arrests or operations against Frozen Spider as of now. Their modular RaaS model makes law enforcement action more challenging, requiring coordinated efforts to dismantle both core operators and affiliates.
How to Defend Against Frozen Spider
Enforce multi-factor authentication (MFA) on all remote access systems.
Regularly patch vulnerabilities in VPN and RDP services.
Minimize privileges for administrative accounts and eliminate unnecessary ones.
Monitor for phishing campaigns and compromised credentials targeting high-privilege accounts.
Detect abnormal internal network behavior, especially pentest tool usage.
Watch for Medusa ransomware signatures in endpoint and network logs.
Maintain offline, immutable backups with frequent testing.
Develop and rehearse disaster recovery plans to minimize downtime in case of an attack.
Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Fancy Bear threats withenterprise-grade technology.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
