TUNNEL SPIDER is a prolific Ransomware-as-a-Service (RaaS) affiliate active since at least February 2022. Since that time, the adversary primarily used HIVE SPIDER’s Hive RaaS. After the Hive RaaS was disrupted by law enforcement in January 2023, TUNNEL SPIDER has used BITWISE SPIDER’s LockBit RaaS, the Black Basta RaaS, ROYAL SPIDER’s Royal RaaS, and Cactus ransomware. Cactus was first identified...