Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
Threat Actor Profile
Indrik Spider
Indrik Spider, also known as Evil Corp, is a highly sophisticated Russian cybercriminal syndicate active since at least 2014. Best known for developing the Dridex banking Trojan and orchestrating large-scale ransomware campaigns, the group has targeted high-profile sectors worldwide, including healthcare and finance, causing severe monetary and operational damages.
Threat Actor Profile
Indrik Spider
Country of Origin
Indrik Spider is based in Russia, with credible evidence linking the group's leadership to Russian nationals. Its operations are believed to either originate from or receive tacit protection within the country, reflecting broader trends in cybercrime originating from the region.
Members
The exact size of the group remains unclear, but it is considered a significant entity within the cybercriminal underground. Aliases like UNC2165, Manatee Tempest, and Evil Corp are widely associated with their team, suggesting a well-organized and skilled operation.
Leadership
The group’s leadership includes Maksim Yakubets, also known as “aqua,” and Igor Turashev. Both individuals have been indicted by the U.S. Department of Justice, with Yakubets under particular scrutiny due to his central role. A $5 million bounty, the largest ever.
Indrik Spider TTPs
Tactics
The group primarily focuses on financial theft through ransomware and banking malware, leveraging sophisticated techniques to target high-value entities ("big-game hunting"). Their goals are monetary gain and large-scale disruption.
Techniques
Indrik Spider employs phishing schemes, advanced persistent threats (APTs), and credential theft to infiltrate systems. Techniques often involve the deployment of malware like Dridex and ransomware variants such as DoppelPaymer, with lateral movement strategies ensuring extensive infiltration before execution.
Procedures
Their methods include initial access through phishing campaigns exploitation of unpatched vulnerabilities, and code signing to evade detection. Once inside, they exfiltrate data, encrypt systems, and execute double-extortion tactics by threatening to leak sensitive information unless the ransom is paid.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
NHS Ransomware Attack (2017)
Indrik Spider’s BitPaymer ransomware caused widespread outages across the UK National Health Service, delaying patient care and costing millions to mitigate.
Funke Mediengruppe (2020)
The group targeted this major German publishing organization, disrupting operations and leaking sensitive company data.
University Hospital Düsseldorf Attack (2020)
A ransomware incident attributed to Indrik Spider disrupted critical hospital operations, tragically contributing to at least one patient death.
Law Enforcement & Arrests
Ongoing efforts to apprehend key members like Maksim Yakubets highlight the involvement of international law enforcement agencies. The United States Department of Justice has taken significant steps, including issuing indictments and reward offers.
How to Defend Against Indrik Spider
1
Implement Multi-Factor Authentication (MFA): Protect all accounts, especially administrative ones.
2
Regularly Update and Patch Systems: Fix known vulnerabilities to prevent exploits.
3
Security Awareness Training: Educate employees on recognizing phishing and social engineering tactics.
4
Monitor Network Traffic: Detect abnormal patterns of data exfiltration or lateral movement.
5
Offline Backup Practices: Safeguard important data in secure, disconnected locations.
Huntress tools and services can provide proactive monitoring and incident response capabilities, equipping organizations to counter Indrik Spider’s threats effectively.
References
