Threat Intelligence Tarot
Vol. II · 97
Russia (FSB-linked, Maksim Yakubets)
G0119★★★★★
risk 5/5
✦ The Sanctioned Serpent ✦
Evil Corp
Indrik Spider · UNC2165 · Gold Drake
Financial institutionsInsuranceHealthcareManufacturingPrivate sector globally
Active since ~2007 · Financial crime, Ransomware, Banking fraud
The Sanctioned Serpent sheds its skin to evade the law, emerging as a new criminal enterprise the moment the last one is named. Sanctioned but not stopped, it proves that financial penalties alone cannot tame the beast.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Dridex banking trojan causing $100M+ in losses globally
- ◆WastedLocker ransomware targeting US corporations
- ◆US Treasury OFAC sanctions (2019) - first ransomware group sanctioned
- ◆Continuous rebranding (BitPaymer, Hades, Phoenix) to evade sanctions
Defenses
- ▸Email gateway blocking macro-enabled Office documents from external sendersCIS Control 9 ↗
- ▸Endpoint detection with behavioral analytics to catch Dridex-style banking trojan activityCIS Control 10 ↗
- ▸Offline immutable backups tested quarterly for ransomware recoveryCIS Control 11 ↗
- ▸OFAC sanctions screening before any ransom payment considerationRegulatory compliance
Reversed: Their Weakness
US Treasury sanctions force its affiliates to avoid ransom payment to maintain banking access. Victim organizations that refuse to pay sanctioned entities remove the economic incentive entirely.
Share this adversary profile
Compare →swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.