Skip to content

Hide Navigation Hide TOC

BITWISE SPIDER (ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac)

BITWISE SPIDER has recently and quickly become a significant player in the big game hunting (BGH) landscape. Their dedicated leak site (DLS) has received the highest number of victims posted each month since July 2021 compared to other adversary DLSs due to the growing popularity and effectiveness of LockBit 2.0.

Cluster A Galaxy A Cluster B Galaxy B Level
LockBit (ELF) (afce6aba-d4c4-49fa-b9a9-1a70e92e5a0e) Malpedia BITWISE SPIDER (ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac) Threat Actor 1
BITWISE SPIDER (ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac) Threat Actor LockBit (Windows) (fd035735-1ab9-419d-a94c-d560612e970b) Malpedia 1
BITWISE SPIDER (ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac) Threat Actor LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 1
Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Lockbit3 (c09f73fd-c3c3-42b1-b355-b03ca4941110) Ransomware LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 3
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 3
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern 3
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 3
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 3
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 3
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern 3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 3