Skip to content

Hide Navigation Hide TOC

BITWISE SPIDER (ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac)

BITWISE SPIDER has recently and quickly become a significant player in the big game hunting (BGH) landscape. Their dedicated leak site (DLS) has received the highest number of victims posted each month since July 2021 compared to other adversary DLSs due to the growing popularity and effectiveness of LockBit 2.0.

Cluster A Galaxy A Cluster B Galaxy B Level
LockBit (Windows) (fd035735-1ab9-419d-a94c-d560612e970b) Malpedia BITWISE SPIDER (ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac) Threat Actor 1
BITWISE SPIDER (ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac) Threat Actor LockBit (ELF) (afce6aba-d4c4-49fa-b9a9-1a70e92e5a0e) Malpedia 1
BITWISE SPIDER (ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac) Threat Actor LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 1
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Lockbit3 (c09f73fd-c3c3-42b1-b355-b03ca4941110) Ransomware LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern LockBit (8eda8bf1-db5a-412d-8511-45e2f7621d51) Ransomware 2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 3
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 3
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 3
Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 3
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern 3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern 3
Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 3
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 3
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 3