ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Viking Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Viking Spider

NamesViking Spider (CrowdStrike)
MotivationFinancial gain
First seen2019
Description(Analyst1) Viking Spider first began ransom operations in December 2019, and they use ransomware known as Ragnar Locker to compromise and extort organizations. Below are key findings identified while researching Viking Spider activity.

• Viking Spider is the first ransomware attacker to install their own virtual machine (VM) into victim environments. They use this VM to evade detection, and they also use it as a launch point to execute the attack.

• The gang is the first to use Facebook ads to pressure victims into paying the ransom.

• Viking Spider outsources call centers in India to contact victims asking them to pay the ransom or risk data exposure.

• Viking Spider uses Managed Service Provider (MSP) software to deliver malware and hacktools as well as provide remote access into victim environments.

• Viking Spider is one of the few gangs who conduct DDoS attacks alongside ransom attacks to pressure victims to pay. Another Cartel gang first used this tactic, but Viking Spider quickly adopted it for their uses as well.

• Viking Spider uses social media such as Twitter to shame non-paying victims publicly.
ObservedSectors: Automotive, Construction, Energy, Hospitality, IT, Law enforcement, Media, Telecommunications.
Countries: Greece, Italy, Japan, Portugal, USA.
Tools usedRagnarLocker.
Operations performedApr 2020RagnarLocker ransomware hits EDP energy giant, asks for €10M
May 2020Ransomware deploys virtual machines to hide itself from antivirus software
Jul 2020Ragnar Locker Targets CWT in Ransomware Attack
Nov 2020Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen
Nov 2020Ransomware Group Turns to Facebook Ads
Nov 2020Campari hit by Ragnar Locker Ransomware, $15 million demanded
Jan 2021Ragnar Locker Ransomware Attack Impacts Employee Records at Dassault Falcon Jet
Jun 2021Computer memory maker ADATA hit by Ragnar Locker ransomware
Sep 2021Ransomware gang threatens to leak data if victim contacts FBI, police
Sep 2021Customer Care Giant TTEC Hit By Ransomware
Aug 2022Ragnar Locker Likely Behind Attack on Greek Gas Operator
Sep 2022Ragnar Locker ransomware claims attack on Portugal's flag airline
Nov 2022Ransomware gang targets Belgian municipality, hits police instead
Aug 2023Hackers claim to publish prominent Israeli hospital’s patient data
Counter operationsOct 2023Ragnar Locker ransomware’s dark web extortion sites seized by police
Oct 2023Ragnar Locker ransomware developer arrested in France

Last change to this card: 29 November 2023

Download this actor card in PDF or JSON format

Previous: Vicious Panda
Next: Void Balaur

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]