Sprite Spider Emerging as One of The Most Destructive Ransomware Threat Actors


Recently, two CrowdStrike cybersecurity leads during a Cyber Threat Intelligence Summit at the SANS  Senior Security Researcher Sergei Frankoff, and Senior Intelligence Analyst Eric Loui, shared detailed information on the ‘Spirit Spider’, an emerging leading ransomware actor. Like other ransomware attacks, the malicious crew behind Sprite Spider attacks has rapidly increased in terms of sophistication and damage capabilities since 2015. At present, Sprite Spider has become one of the most dangerous ransomware malicious actors of 2021. 

Although, this ransomware ‘Sprite Spider’, did not come as a surprise for many world-leading IT firms, like other organized ransomware groups which are filled with threat actors who are often fruitfully employed by nation-state cybercriminals. 

The journey of Sprite Spider

To have come so far to make headlines, it must have gotten started somewhere, but when and where? It was back in 2015 when the ransomware was employed as a banking Trojan called Shifu, and then in 2017, a malware loader called Vatet. The gang had deployed a remote access Trojan called PyXie, in 2018, and in 2019, the attackers’ deployed ransomware called DEFRAY777. 

Crowdstrike researchers linked Shifu, Wyatt, and Pixi to the DEFRAY777 ransomware attacks. At this point they realized that all the activities from these components were linked to a single-malicious group, operating stealthily behind the scenes. 

The threat actors can often avoid detection mainly because the malicious code is secretly hidden in open-source projects such as Notepad++, which technically is invisible and hence visibly harmless. The only thing the Sprite Spider writes to disk is ‘Vatet’, which makes it even more difficult for the intelligence to identify it during an attack. 

“I think we’ve seen a number of nation-states engage in these types of attacks to generate revenue, specifically North Korea,” CrowdStrike’s senior vice president of intelligence Adam Meyers tells CSO. He added that “Iran and China are also getting in on the ransomware game. It’s not necessarily the nation-state that is conducting the attack, but [the cybercriminals] are using the skills they learned [by working for nation-state attackers] to make a little extra money on the side. The individuals engaged by the nation-state are conducting ransomware attacks on a moonlight shift.” 

Mark Weatherford, chief strategy officer at the National Cybersecurity Center and a former DHS cybersecurity official in the Obama administration, said “I think it will take an international effort to address the growing ransomware scourge. Until there is more of an international policy discussion, I think we’re going to see these things grow. What we need is an international combined effort from nations around the world to say that this is no longer acceptable.” He tells CSO.