Cybercrime Group

TA505

Russia • Active since 2014

TA505 sends billions of spam emails with malware attached. They started with banking malware but now do ransomware too. They are one of the most active criminal hacking groups in the world.

Overview

TA505 is a financially motivated cybercriminal group responsible for massive malspam campaigns. They operate or distribute multiple malware families including Dridex, Locky, Clop ransomware, and FlawedAmmyy.

Also Known As

Hive0065, SectorJ04, GRACEFUL SPIDER

Target Industries

Finance, Retail, Healthcare, Manufacturing, All Industries

Target Regions

Global

Is your business exposed?

Tactics, Techniques & Procedures

  • Massive malspam campaigns
  • Malicious Office documents
  • Ransomware deployment
  • Banking trojan distribution
  • Initial access broker services

Known Tools & Malware

Dridex, Locky, Clop, FlawedAmmyy, SDBbot, Get2

Notable Campaigns

Dridex Distribution (2014-present)

Long-running campaigns distributing Dridex banking trojan.

Clop Ransomware Operations (2019-present)

Deployment of Clop ransomware following initial Dridex access.

MITRE ATT&CK Techniques

T1566.001, T1204.002, T1059.003, T1486, T1071

Defense Recommendations

  1. 1.

    Block macro execution in Office

  2. 2.

    Deploy email security filtering

  3. 3.

    Monitor for Dridex indicators

Related Threat Actors

Evil Corp, Wizard Spider

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices