Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
Viking Spider first began ransom operations in December 2019, and they use ransomware known as Ragnar Locker to compromise and extort organizations. Below are key findings identified while researching Viking Spider activity. • Viking Spider is the first ransomware attacker to install their own virtual machine (VM) into victim environments. They use this VM to evade detection, and they also use it as a launch point to execute the attack. • The gang is the first to use Facebook ads to pressure victims into paying the ransom. • Viking Spider outsources call centers in India to contact victims asking them to pay the ransom or risk data exposure. • Viking Spider uses Managed Service Provider (MSP) software to deliver malware and hacktools as well as provide remote access into victim environments. • Viking Spider is one of the few gangs who conduct DDoS attacks alongside ransom attacks to pressure victims to pay. Another Cartel gang first used this tactic, but Viking Spider quickly adopted it for their uses as well. • Viking Spider uses social media such as Twitter to shame non-paying victims publicly.
No exploited CVEs have been attributed to this threat actor yet.
Browse CVE Database