Viking Spider

Description

(Analyst1) Viking Spider first began ransom operations in December 2019, and they use ransomware known as Ragnar Locker to compromise and extort organizations. Below are key findings identified while researching Viking Spider activity.

• Viking Spider is the first ransomware attacker to install their own virtual machine (VM) into victim environments. They use this VM to evade detection, and they also use it as a launch point to execute the attack.
• The gang is the first to use Facebook ads to pressure victims into paying the ransom.

• Viking Spider outsources call centers in India to contact victims asking them to pay the ransom or risk data exposure.

• Viking Spider uses Managed Service Provider (MSP) software to deliver malware and hacktools as well as provide remote access into victim environments.

• Viking Spider is one of the few gangs who conduct DDoS attacks alongside ransom attacks to pressure victims to pay. Another Cartel gang first used this tactic, but Viking Spider quickly adopted it for their uses as well.

• Viking Spider uses social media such as Twitter to shame non-paying victims publicly.

Names

Name	Name-Giver
Viking Spider	CrowdStrike

Country

• Unknown

Motivation

• Financial gain

First Seen

2019

Observed Sectors

• Automotive
• Construction
• Energy
• Hospitality
• IT
• Law enforcement
• Media
• Telecommunications

Observed Countries

• Greece
• Italy
• Japan
• Portugal
• USA

Tools

• RagnarLocker

Operations

• 2020-04: RagnarLocker ransomware hits EDP energy giant, asks for €10M https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/
• 2020-05: Ransomware deploys virtual machines to hide itself from antivirus software https://www.zdnet.com/article/ransomware-deploys-virtual-machines-to-hide-itself-from-antivirus-software/
• 2020-07: Ragnar Locker Targets CWT in Ransomware Attack https://cybelangel.com/blog/ragnar-locker-targets-cwt/
• 2020-11: Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/
• 2020-11: Ransomware Group Turns to Facebook Ads https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/
• 2020-11: Campari hit by Ragnar Locker Ransomware, $15 million demanded https://www.bleepingcomputer.com/news/security/campari-hit-by-ragnar-locker-ransomware-15-million-demanded/
• 2021-01: Ragnar Locker Ransomware Attack Impacts Employee Records at Dassault Falcon Jet https://chaslescorp.com/ragnar-locker-ransomware-attack-impacts-employee-records-at-dassault-falcon-jet/
• 2021-06: Computer memory maker ADATA hit by Ragnar Locker ransomware https://www.bleepingcomputer.com/news/security/computer-memory-maker-adata-hit-by-ragnar-locker-ransomware/
• 2021-09: Ransomware gang threatens to leak data if victim contacts FBI, police https://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-leak-data-if-victim-contacts-fbi-police/
• 2021-09: Customer Care Giant TTEC Hit By Ransomware https://krebsonsecurity.com/2021/09/customer-care-giant-ttec-hit-by-ransomware/
• 2022-08: Ragnar Locker Likely Behind Attack on Greek Gas Operator https://www.bankinfosecurity.com/ragnar-locker-likely-behind-attack-on-greek-gas-operator-a-19907
• 2022-09: Ragnar Locker ransomware claims attack on Portugal’s flag airline https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-claims-attack-on-portugals-flag-airline/
• 2022-11: Ransomware gang targets Belgian municipality, hits police instead https://www.bleepingcomputer.com/news/security/ransomware-gang-targets-belgian-municipality-hits-police-instead/
• 2023-08: Hackers claim to publish prominent Israeli hospital’s patient data https://therecord.media/israel-hospital-data-leaked-ragnar-locker-ransomware

Counter Operations

• 2023-10: Ragnar Locker ransomware’s dark web extortion sites seized by police https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomwares-dark-web-extortion-sites-seized-by-police/
• 2023-10: Ragnar Locker ransomware developer arrested in France https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-developer-arrested-in-france/

Information

• https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf
• https://cybernews.com/security/how-we-applied-to-work-with-ransomware-gang/

Other Information

Uuid

e3579aff-2cc6-452c-837b-91f4b3825bf2

Last Card Change

2023-11-29