Threat Actor Profile

Viking Spider

Viking Spider is a cybercriminal group known for developing and deploying the Ragnar Locker ransomware. Emerging in late 2019, the group employs big game hunting (BGH) tactics to target high-value organizations. They are linked to the broader "Ransom Cartel," a network of ransomware operators.

Threat Actor Profile

Viking Spider

Country of Origin

The exact country of origin for Viking Spider is unknown. However, their operations suggest ties to Eastern Europe, with some overlap in tactics and infrastructure with other Russian-speaking cybercriminal groups.

Members

The size and composition of Viking Spider remain unclear. They are believed to operate as a small, specialized team within the larger Ransom Cartel network.

Leadership

No specific leaders or aliases have been publicly identified for Viking Spider. Their operational secrecy and use of Tor-hosted leak sites make attribution challenging.

Viking Spider TTPs

Tactics

The group primarily focuses on financial extortion through ransomware attacks, targeting industries with high-value data.

Techniques

They gain initial access through phishing campaigns and exploit vulnerabilities in remote desktop protocols (RDP). Once inside, they deploy Ragnar Locker ransomware to encrypt data.

Procedures

Use of Ragnar Locker ransomware
Hosting data leak sites on Tor
Proof of data exfiltration before full leaks
Avoiding targets in Russia and former Soviet states

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

2020: Initiated data leak extortion campaigns, threatening to publish stolen data.
2021: Linked to ransomware attacks on critical infrastructure and healthcare facilities.

Law Enforcement & Arrests

There have been no confirmed arrests of Viking Spider members. However, global law enforcement agencies, including Europol and the FBI, continue to monitor their activities.

How to Defend Against Viking Spider

Regularly update and patch systems.

Implement multi-factor authentication (MFA).

Conduct phishing awareness training.

Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating threats with enterprise-grade technology.

Try Huntress for Free

References

https://malpedia.caad.fkie.fraunhofer.de/actor/viking_spider

https://en.wikipedia.org/wiki/Wizard_Spider

BlackCat

BlackCat (also known as ALPHV) is a sophisticated ransomware group first observed in late 2021. Widely recognized for its use of advanced ransomware-as-a-service (RaaS) operations, BlackCat targets organizations across various industries and leverages double extortion tactics to pressure victims.

Clop (Cl0p)

Clop, an infamous ransomware group, surfaced around 2019 and has quickly become a significant name in the cybercriminal ecosystem. Known for their sophisticated attacks and high-value targets, Clop predominantly focuses on extortion, data theft, and financial disruption.

Play

Play (also referred to as PlayCrypt) is a financially driven ransomware group first identified in June 2022. Specializing in double-extortion techniques—encrypting files and threatening to publicly leak stolen data—Play has rapidly grown into one of the most active ransomware groups globally.

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free