Sprite Spider: What You Need to Know


February 1, 2021

A ransomware team first detected in 2015 is poised to become one of the biggest threat actors of 2021, according to CrowdStrike.

The group, called Sprite Spider, first began to draw attention using a Trojan called Shifu to attack banking systems in 2015. Over time they’ve evolved to using numerous tools like Valet, a malware loader, PyXie, an advanced remote access Trojan, and DEFRAY777, a ransomware variant.

CrowdStrike made their announcement at a recent SANS Cyber Threat Intelligence Summit. They said it wasn’t until recently they noticed the various tools were being used by the same group.

Sprite Spider operates primarily under the RADAR, avoiding detection by using very benign-looking code hidden in programs like Notepad++. Their modus operandi is to only install Vatet on infected end-points, which then serves up DEFRAY777.

As of recently, Sprite Spider has been attacking VMware ESXi users. ESXi is typically used by large corporations to manage multiple virtual machines. By installing DEFRAY777 on ESXi hosts, Sprite Spider is able to leverage stolen credentials to compromise vCenter, VMware’s web interface for managing ESXi devices.

After breaching the vCenter, Sprite Spider is able to enable SSH, change the SSH keys and/or root passwords, and then, ultimately, encrypt the machines.

Targeting EXSi machines is actually a pretty smart choice, as it means Sprite Spider doesn’t have to deploy DEFRAY777 across the entire organization. A few targeted servers and they’re off to the races.

What You Can Do to Protect Yourself from Ransomware

Implement a Security Awareness Training Program – Someone wiser than I once told me ‘you can’t stop or avoid what you’re not prepared to handle.’ That goes for ransomware attacks. 

Most ransomware attacks are solicited through Social Engineering campaigns and are end-user initiated (i.e. you, a coworker, or employee). A good security awareness training program can help educate people and stop a ransomware attack before it can get a foothold in your IoT ecosystem.

Email Inbox Security is Imperative – As stated above, a ransomware attack is usually end-user initiated. How? Typically via a malicious link or file embedded in an email. The attacker will trick their unsuspecting victim into clicking through and, well, it’s all downhill from there. 

By implementing things like DMARC or DKIM, or sign up for a service like Cyren’s Office 365 Inbox Security platform, you can stop some of these attacks before human error becomes a part of the problem.

Next-Generation End-Point Protection – Traditional endpoint protection products rely on outdated means of detection (like looking for specific signatures).

Newer products like Blackberry Protect (formerly Cylance) uses machine learning and artificial intelligence to determine whether or not software that’s trying to run on your machine is hazardous or not.

Back-up your End-Points and Critical Data – This is a no brainer. Even with the risk of a ransomware attack, you should be backing up your important data. A ransomware attack is only deadly to an organization if they don’t have backups.

Ransomware attacks encrypt your end-points and demand a ransom (duh) from the victim to get the decryption key. If you’ve got air-gapped, regular backups you don’t need to pay. You can simply restore your ecosystem to a period before it was infected. 

Just make sure backups are in a secure location, not normally connected to your network, and password protected.

Whitelisting and Blocking the Known Bad – You’ve got a pretty good idea of what people in your organization should be looking at while they work, or what programs they use, or what devices can talk to over the internet. Take the time to whitelist approved applications and processes. 

Blocking the known bad goes hand in hand with whitelisting. 

Now, I don’t necessarily mean you should spend hours and hours blocking everything under the sun, or making sure your firewall’s traffic policy is tighter than a frog’s butthole, but you should take the steps to block traffic to and from countries known to be hazardous to an enterprise like Russia, China, North Korea, Iran, etc. 

You can check out this article if you want to learn more about that.

Discover Leaked Credentials, Look for Exposed Super-Admins, and Start Practicing the Principle of Least Privilege when it comes to Access Control – Pardon me, but we have to go back to human error and the part it plays in a successful ransomware attack, or for that matter, ANY kind of cybersecurity attack. 

We humans, as a species, are terrible when it comes to credential management and good password hygiene. We stink at it. But the first step in changing that is by acknowledging it. To help with this, you might want to start by running a dark web scan  on your email domain. 

If the scan does discover linked credentials take a good long look at the report and check it against your records to see what privileges those users might have. The Principle of Least Privilege is the belief that people should have access to as little as possible beyond what they need to do their day-to-day tasks. That includes administrators and other high ranking personnel.

Make Sure you Monitor Your Files Around the Clock – Monitors your IT environment for changes to the critical OS, files, and processes such as directories, registry keys, and values. 

Watch for changes to application files, rogue applications running on the host and unusual process and port activity, as well as system incompatibilities.

Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.

Carl Keyser is the Content Manager at Integris.

Keep reading

Updating Your Bank’s Security Training for the Age of AI

Updating Your Bank’s Security Training for the Age of AI

How much could AI-driven models like Copilot for M365, Google Gemini, or Apple Intelligence improve the productivity at your bank? The jury is still out on that one, but initial experiments place the overall AI-driven productivity gains for the US economy at between 8...

What to Know Before Installing Co-Pilot for Microsoft Word

What to Know Before Installing Co-Pilot for Microsoft Word

Imagine having an AI assistant that pulls from your notes, marries them to an existing document format, and writes a document for you. That's the power of Copilot for Microsoft Word, which is planned for rollout in 2024 for those who buy the Copilot M365 license....

Bridging the Gap between Automation and Innovation

Bridging the Gap between Automation and Innovation

Automation and Innovation. Some people might say those two words cancel each other out. Yet, I believe these two concepts can create capacity for each other—if your business leverages the free time automation creates to foster innovation. Automation can be...