README.md

LARVA-57 Group Indicators of Compromise (IOC)

LARVA-57 consists of former Wizard Spider actors who are publicly known for the various malware variants they use (Ryuk, Trickbot, and Conti, among others). It is a financially motivated cybercrime group first identified in 2017. It may be one of the wealthiest groups currently in operation, with total assets easily over hundreds of millions of dollars. The PTI team has been actively tracking the Wizard Spider group since releasing our first public report in November 2021. This prevented hundreds of ransomware attacks and notified over 100,000 victims, including defence and aerospace companies, food producers, supply chain providers, hospitals, government agencies, and critical infrastructure providers. These IP addresses are part of the infrastructure from the former members, currently designated as LARVA-57, that currently use LockBit Ransomware to encrypt the computers of corporate networks with a ransom demand.

Report can be found at Catalyst Platform.

Operational Environment

IP Address	Observation Date
45.227.255.213	18.03.2023
46.161.27.123	20.03.2023
138.99.216.146	20.03.2023
78.128.112.211	20.03.2023
78.128.112.195	20.03.2023
78.128.112.202	20.03.2023
45.227.252.237	20.03.2023
45.227.252.236	20.03.2023
147.78.47.245	20.03.2023
179.60.150.150	05.04.2023
5.8.18.116	05.04.2023
5.8.18.117	05.04.2023
5.8.18.236	05.04.2023
5.8.18.242	05.04.2023
88.214.26.27	05.04.2023
88.214.26.37	05.04.2023
46.161.27.155	05.04.2023
147.78.47.240	05.04.2023
147.78.47.243	05.04.2023
78.128.112.137	05.04.2023
78.128.112.141	05.04.2023
5.188.206.83	05.04.2023
5.188.206.92	05.04.2023
78.128.112.138	05.04.2023
5.188.206.88	05.04.2023
5.188.206.84	05.04.2023
5.188.206.93	05.04.2023
45.227.252.241	05.04.2023
45.227.252.252	05.04.2023
179.60.146.51	05.04.2023
92.118.36.201	05.04.2023
193.29.13.152	05.04.2023
193.29.13.166	05.04.2023
92.118.36.213	05.04.2023