Sprite Spider, Gold Dupont

Sprite Spider, Gold Dupont
(Type: -)

(CrowdStrike) In 2020, CrowdStrike Intelligence observed both SPRITE SPIDER (the operators of Defray777) and {{Carbanak, Anunak}} (the operators of DarkSide) deploy Linux versions of their respective ransomware families on ESXi hosts during BGH operations. While ransomware for Linux has existed for many years, BGH actors have historically not targeted Linux, much less ESXi specifically. ESXi is a type of hypervisor that runs on dedicated hardware and manages multiple virtual machines (VMs). With more organizations migrating to virtualization solutions to consolidate legacy IT systems, this is a natural target for ransomware operators looking to increase the impact against a victim. All identified incidents were enabled by the acquisition of valid credentials. In four separate Defray777 incidents, SPRITE SPIDER used administrator credentials to log in through the vCenter web interface. In one instance, SPRITE SPIDER likely used the PyXie remote access trojan (RAT) LaZagne module to harvest vCenter administrator credentials stored in a web browser. By targeting these hosts, ransomware operators are able to quickly encrypt multiple systems with relatively few actual ransomware deployments. Encrypting one ESXi server inflicts the same amount of damage as individually deploying ransomware on each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operations. Additionally, due to their lack of conventional operating systems, ESXi hosts lack endpoint protection software that could prevent or detect ransomware attacks.

[News Analysis] Trends:

Total Trend: 0

Trend Per Year


Trend Per Month



[News Analysis] News Mention Another Threat Name:



[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

Basic Information (Credit @etda.or.th)

Actor: Sprite Spider, Gold Dupont

Names: Sprite Spider, Gold Dupont

Country: [Unknown]

Motivation: Financial crime

Motivation: Financial gain

First-seen: 2015

Description: (CrowdStrike) In 2020, CrowdStrike Intelligence observed both SPRITE SPIDER (the operators of Defray777) and {{Carbanak, Anunak}} (the operators of DarkSide) deploy Linux versions of their respective ransomware families on ESXi hosts during BGH operations. While ransomware for Linux has existed for many years, BGH actors have historically not targeted Linux, much less ESXi specifically. ESXi is a type of hypervisor that runs on dedicated hardware and manages multiple virtual machines (VMs). With more organizations migrating to virtualization solutions to consolidate legacy IT systems, this is a natural target for ransomware operators looking to increase the impact against a victim. All identified incidents were enabled by the acquisition of valid credentials. In four separate Defray777 incidents, SPRITE SPIDER used administrator credentials to log in through the vCenter web interface. In one instance, SPRITE SPIDER likely used the PyXie remote access trojan (RAT) LaZagne module to harvest vCenter administrator credentials stored in a web browser. By targeting these hosts, ransomware operators are able to quickly encrypt multiple systems with relatively few actual ransomware deployments. Encrypting one ESXi server inflicts the same amount of damage as individually deploying ransomware on each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operations. Additionally, due to their lack of conventional operating systems, ESXi hosts lack endpoint protection software that could prevent or detect ransomware attacks.

Observed-sectors: Education

Observed-sectors: Healthcare

Observed-sectors: Manufacturing

Observed-sectors: Technology

Tools: Cobalt Strike

Tools: Defray777

Tools: LaZagne

Tools: Metasploit

Tools: PyXie

Tools: SharpHound

Tools: Shifu

Tools: SystemBC

Tools: Vatet

Operations: 2017-08

Operations: New Defray Ransomware Targets Education and Healthcare Verticals https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals

Operations: 2020-05

Operations: Texas Courts hit by ransomware, network disabled to limit spread https://www.bleepingcomputer.com/news/security/texas-courts-hit-by-ransomware-network-disabled-to-limit-spread/

Operations: 2020-06

Operations: New Ransom X Ransomware used in Texas TxDOT cyberattack https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/

Operations: 2020-08

Operations: Business technology giant Konica Minolta hit by new ransomware https://www.bleepingcomputer.com/news/security/business-technology-giant-konica-minolta-hit-by-new-ransomware/

Operations: 2020-09

Operations: SoftServe hit by ransomware, Windows customization tool exploited https://www.bleepingcomputer.com/news/security/softserve-hit-by-ransomware-windows-customization-tool-exploited/

Operations: 2020-09

Operations: Leading U.S. laser developer IPG Photonics hit with ransomware https://www.bleepingcomputer.com/news/security/leading-us-laser-developer-ipg-photonics-hit-with-ransomware/

Operations: 2020-09

Operations: Government software provider Tyler Technologies hit by ransomware https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/

Operations: 2020-10

Operations: Montreal's STM public transport system hit by ransomware attack https://www.bleepingcomputer.com/news/security/montreals-stm-public-transport-system-hit-by-ransomware-attack/

Operations: 2020-11

Operations: Brazil's court system under massive RansomExx ransomware attack https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/

Operations: 2020-11

Operations: RansomExx ransomware also encrypts Linux systems https://www.bleepingcomputer.com/news/security/ransomexx-ransomware-also-encrypts-linux-systems/

Operations: 2020-12

Operations: Hackers leak data from Embraer, world's third-largest airplane maker https://www.zdnet.com/article/hackers-leak-data-from-embraer-worlds-third-largest-airplane-maker/

Operations: 2021-02

Operations: French MNH health insurance company hit by RansomExx ransomware https://www.bleepingcomputer.com/news/security/french-mnh-health-insurance-company-hit-by-ransomexx-ransomware/

Operations: 2021-02

Operations: Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/

Operations: 2021-07

Operations: Ecuador's state-run CNT telco hit by RansomEXX ransomware https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/

Operations: 2021-08

Operations: RansomEXX ransomware leaks files stolen from Italian luxury brand Zegna https://securityaffairs.co/wordpress/120898/data-breach/ransomexx-ransomware-zegna.html

Operations: 2021-08

Operations: Computer hardware giant GIGABYTE hit by RansomEXX ransomware https://www.bleepingcomputer.com/news/security/computer-hardware-giant-gigabyte-hit-by-ransomexx-ransomware/

Operations: 2021-08

Operations: Ransomware hits Lojas Renner, Brazil’s largest clothing store chain https://therecord.media/ransomware-hits-lojas-renner-brazils-largest-clothing-store-chain/

Operations: 2022-03

Operations: Ransomware group attacks Scottish mental health charity https://therecord.media/ransomware-group-attacks-scottish-mental-health-charity/

Operations: 2022-10

Operations: RansomExx Leaks 52GB of Barcelona Health Centers' Data https://www.bankinfosecurity.com/ransomexx-leaks-52-gb-barcelona-health-centers-data-a-20260

Operations: 2022-11

Operations: RansomExx Upgrades to Rust https://securityintelligence.com/posts/ransomexx-upgrades-rust/

Information: https://www.neosecuretendencias2021.com/assets/pdfs/crowdstrike/2021%20Global%20Threat%20Report%20FINAL%20.pdf

Information: https://www.secureworks.com/research/threat-profiles/gold-dupont

Last-card-change: 2022-12-27

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact