Skip to content

Hide Navigation Hide TOC

BITWISE SPIDER (ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac)

BITWISE SPIDER has recently and quickly become a significant player in the big game hunting (BGH) landscape. Their dedicated leak site (DLS) has received the highest number of victims posted each month since July 2021 compared to other adversary DLSs due to the growing popularity and effectiveness of LockBit 2.0.

Cluster A Galaxy A Cluster B Galaxy B Level
LockBit (ELF) (afce6aba-d4c4-49fa-b9a9-1a70e92e5a0e) Malpedia BITWISE SPIDER (ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac) Threat Actor 1
LockBit (Windows) (fd035735-1ab9-419d-a94c-d560612e970b) Malpedia BITWISE SPIDER (ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac) Threat Actor 1
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware BITWISE SPIDER (ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac) Threat Actor 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Remote Access Software - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern 2
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 2
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Lockbit3 (c09f73fd-c3c3-42b1-b355-b03ca4941110) Ransomware LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 2
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern 3
Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 3
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 3
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern 3
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 3
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 3
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 3
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 3
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 3
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 3