Defeating BLOCKADE SPIDER: How CrowdStrike Stops Cross-Domain Attacks

CrowdStrike OverWatch documents BLOCKADE SPIDER, an eCrime ransomware actor active since at least April 2024, executing cross-domain attacks across unmanaged endpoints, cloud, and identity systems. The actor gained access via an unmanaged VPN appliance, used DCSync to dump additional credentials, added accounts to AD groups, bypassed MFA, deployed a rogue AD agent and targeted backups and virtualized infrastructure with Embargo ransomware; OverWatch leveraged identity protection and Falcon Next‑Gen SIEM telemetry to trace, monitor, and ultimately disrupt the adversary’s access.