VIKING SPIDER is a cybercriminal ransomware threat actor publicly associated with operating Ragnar Locker ransomware. The provided content describes Ragnar Locker as commonly associated with VIKING SPIDER and notes that the group has used varied initial access methods, including direct exploitation of systems, abuse of legitimate applications, and implantation of malware inside legitimate applications. The ransomware activity described includes broad access and control inside victim environments prior to encryption, victim profiling, locale-based execution checks that avoid systems using multiple CIS-region languages, service enumeration focused on backup, security, and remote-management software, ransom-note creation in Public\Documents, qTox-based victim communications, and file encryption that skips selected folders, files, and extensions while appending a RAGNAR marker and key material. The content also states that VIKING SPIDER publicly announced intentions to avoid targeting frontline healthcare entities. It further notes that VIKING SPIDER collaborated in the Maze Cartel with TWISTED SPIDER and LockBit operators. No additional aliases or sub-groups beyond the provided name are directly supported by the content.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
2 malware families attributed to this actor across reporting.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Associated with RagnarLocker ransomware operations, using varied initial access methods, direct exploitation, abuse of legitimate applications, malware implantation, privilege/access expansion inside victim environments, and broad file encryption across enterprise systems.
Listed as part of a broader 'Ransom Cartel/Maze Cartel' collection of criminals (per cited reporting) that use ransomware for extortion; no further specifics in this content.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.