Names | Sprite Spider (CrowdStrike) Gold Dupont (SecureWorks) | |
Country | [Unknown] | |
Motivation | Financial crime, Financial gain | |
First seen | 2015 | |
Description | (CrowdStrike) In 2020, CrowdStrike Intelligence observed both SPRITE SPIDER (the operators of Defray777) and Carbanak, Anunak (the operators of DarkSide) deploy Linux versions of their respective ransomware families on ESXi hosts during BGH operations. While ransomware for Linux has existed for many years, BGH actors have historically not targeted Linux, much less ESXi specifically. ESXi is a type of hypervisor that runs on dedicated hardware and manages multiple virtual machines (VMs). With more organizations migrating to virtualization solutions to consolidate legacy IT systems, this is a natural target for ransomware operators looking to increase the impact against a victim. All identified incidents were enabled by the acquisition of valid credentials. In four separate Defray777 incidents, SPRITE SPIDER used administrator credentials to log in through the vCenter web interface. In one instance, SPRITE SPIDER likely used the PyXie remote access trojan (RAT) LaZagne module to harvest vCenter administrator credentials stored in a web browser. By targeting these hosts, ransomware operators are able to quickly encrypt multiple systems with relatively few actual ransomware deployments. Encrypting one ESXi server inflicts the same amount of damage as individually deploying ransomware on each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operations. Additionally, due to their lack of conventional operating systems, ESXi hosts lack endpoint protection software that could prevent or detect ransomware attacks. | |
Observed | Sectors: Education, Healthcare, Manufacturing, Technology. | |
Tools used | Cobalt Strike, Defray777, LaZagne, Metasploit, PyXie, SharpHound, Shifu, SystemBC, Vatet. | |
Operations performed | Aug 2017 | New Defray Ransomware Targets Education and Healthcare Verticals <https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals> |
May 2020 | Texas Courts hit by ransomware, network disabled to limit spread <https://www.bleepingcomputer.com/news/security/texas-courts-hit-by-ransomware-network-disabled-to-limit-spread/> | |
Jun 2020 | New Ransom X Ransomware used in Texas TxDOT cyberattack <https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/> | |
Aug 2020 | Business technology giant Konica Minolta hit by new ransomware <https://www.bleepingcomputer.com/news/security/business-technology-giant-konica-minolta-hit-by-new-ransomware/> | |
Sep 2020 | SoftServe hit by ransomware, Windows customization tool exploited <https://www.bleepingcomputer.com/news/security/softserve-hit-by-ransomware-windows-customization-tool-exploited/> | |
Sep 2020 | Leading U.S. laser developer IPG Photonics hit with ransomware <https://www.bleepingcomputer.com/news/security/leading-us-laser-developer-ipg-photonics-hit-with-ransomware/> | |
Sep 2020 | Government software provider Tyler Technologies hit by ransomware <https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/> | |
Oct 2020 | Montreal's STM public transport system hit by ransomware attack <https://www.bleepingcomputer.com/news/security/montreals-stm-public-transport-system-hit-by-ransomware-attack/> | |
Nov 2020 | Brazil's court system under massive RansomExx ransomware attack <https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/> | |
Nov 2020 | RansomExx ransomware also encrypts Linux systems <https://www.bleepingcomputer.com/news/security/ransomexx-ransomware-also-encrypts-linux-systems/> | |
Dec 2020 | Hackers leak data from Embraer, world's third-largest airplane maker <https://www.zdnet.com/article/hackers-leak-data-from-embraer-worlds-third-largest-airplane-maker/> | |
Feb 2021 | French MNH health insurance company hit by RansomExx ransomware <https://www.bleepingcomputer.com/news/security/french-mnh-health-insurance-company-hit-by-ransomexx-ransomware/> | |
Feb 2021 | Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact <https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/> | |
Jul 2021 | Ecuador's state-run CNT telco hit by RansomEXX ransomware <https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/> | |
Aug 2021 | RansomEXX ransomware leaks files stolen from Italian luxury brand Zegna <https://securityaffairs.co/wordpress/120898/data-breach/ransomexx-ransomware-zegna.html> | |
Aug 2021 | Computer hardware giant GIGABYTE hit by RansomEXX ransomware <https://www.bleepingcomputer.com/news/security/computer-hardware-giant-gigabyte-hit-by-ransomexx-ransomware/> | |
Aug 2021 | Ransomware hits Lojas Renner, Brazil’s largest clothing store chain <https://therecord.media/ransomware-hits-lojas-renner-brazils-largest-clothing-store-chain/> | |
Mar 2022 | Ransomware group attacks Scottish mental health charity <https://therecord.media/ransomware-group-attacks-scottish-mental-health-charity/> | |
Oct 2022 | RansomExx Leaks 52GB of Barcelona Health Centers' Data <https://www.bankinfosecurity.com/ransomexx-leaks-52-gb-barcelona-health-centers-data-a-20260> | |
Nov 2022 | RansomExx Upgrades to Rust <https://securityintelligence.com/posts/ransomexx-upgrades-rust/> | |
Information | <https://www.neosecuretendencias2021.com/assets/pdfs/crowdstrike/2021%20Global%20Threat%20Report%20FINAL%20.pdf> <https://www.secureworks.com/research/threat-profiles/gold-dupont> |
Last change to this card: 27 December 2022
Download this actor card in PDF or JSON format
Previous: Sphinx
Next: Stealth Falcon, FruityArmor
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |