Wizard Spider

Last updated February 21, 2024

Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest,^[1] is a cybercrime group based in and around Saint Petersburg in Russia.^[2]^[3]^[4] Some members may be based in Ukraine.^[3] They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.^[2]^[5]

History

In 2018 the groups began using Trickbot, Ryuk and Conti ransomware as their primary tools.^[2]

They have also developed espionage software Sidoh which only gathers information and does not hold it to ransom.^[3]^[6]

Modus operandi

PRODAFT wrote a technical report on them that described their attacks and organisation.^[7]

Attacks usually begin by sending large amounts of spam to targets in order to trick victims into downloading malware.^[7] They use Qbot and SystemBC malware, as well as writing their own.^[7] A separate team pinpoints valuable targets and uses Cobalt Strike to attack them.^[7] If they gain control of the system, they deploy ransomware.^[7]

They have simultaneously transferred Bitcoin from Ryuk and Conti ransomware attacks into their own wallets, implying they are carrying out several attacks using different malware.^[3]

They are very security conscious and do not openly advertise on the darknet.^[2] They will only work with or sell access to criminals they trust.^[2] They are known to belittle their victims via a leak site.^[2] The leak site is also used to publish data they have stolen.^[3]

Intelligence agencies say that the group does not attack targets in Russia, nor do key figures travel outside the country for fear of being arrested.^[2]^[3] Their software is programmed to uninstall itself if it detects that the system uses the Russian language or if the system has an IP address in the former Soviet Union.^[3]

Russia is suspected of tolerating Wizard Spider and even assisting them.^[3]

Suspected attacks

They are suspected of being behind the Health Service Executive cyberattack in the Republic of Ireland.^[8]^[2] It is the largest known attack against a health service computer system.^[3]

Associates

They are linked to UNC1878, TEMP.MixMaster, and Grim Spider.^[5]

According to a report by Jon DiMaggio entitled Ransom Mafia: Analysis of the world's first ransomware cartel the group is part of a collections of criminals known as the Ransom Cartel or Maze Cartel.^[3] They are the largest of the groups active in the cartel.^[3]^[6] The other members are: TWISTED SPIDER, VIKING SPIDER, Lockbit gang and SunCrypt gang.^[3] All use ransomware to extort money.^[3]^[6] SunCrypt have since retired.^[6]

The PRODAFT report authors found that Wizard Spider sometimes backed up data to a server and that the server contained data from systems that had also been attacked by REvil, though the authors could not conclude which of the two groups had taken the data.^[7]

Related Research Articles

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

Ransomware is a type of cryptovirological malware that permanently block access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.

TeslaCrypt was a ransomware trojan. It is now defunct, and its master key was released by the developers.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Trickbot is a trojan for Microsoft Windows and other operating systems. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

FIN7, also called Carbon Spider, ELBRUS, or Sangria Tempest, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. FIN7 is also associated with GOLD NIAGARA, ITG14, ALPHV and BlackCat.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

Conti is a ransomware hacker group that has been observed since 2020, believed to be distributed by a Russia-based group. It operates as a ransomware-as-a-service (RaaS), enabling other cybercriminals to deploy this malware for their own purposes. Conti is particularly known for its utilization of double extortion techniques, where it not only encrypts victim's files but also steals and threatens to publish sensitive data if the ransom is not paid.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.

Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion. Royal does not use affiliates.

BlackCat, also known as ALPHV and Noberus is a ransomware family written in Rust, that made its first appearance in November 2021. By extension, it's also the name of the threat actor(s) that exploit it.

References

↑ "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.
1 2 3 4 5 6 7 8 9 10 Reynolds, Paul (18 May 2021). "'Wizard Spider': Who are they and how do they operate?". RTÉ News . Retrieved 18 May 2021.
1 2 3 4 5 6 7 8 9 10 11 12 13 Lally, Conor (18 May 2021). "Wizard Spider profile: Suspected gang behind HSE attack is part of world's first cyber-cartel". The Irish Times . Retrieved 19 May 2021.
↑ Burgess, Matt (1 February 2022). "Inside Trickbot, Russia's Notorious Ransomware Gang". Wired . Retrieved 15 February 2022.
1 2 "Mapping To Wizard Spider". MITRE Shield. Mitre Corporation. Archived from the original on 28 January 2021. Retrieved 18 May 2021.{{cite web}}: CS1 maint: unfit URL (link)
1 2 3 4 DiMaggio, Jon. "Ransom Mafia - Analysis of the World's First Ransomware Cartel". Analyst1. Retrieved 19 May 2021.
1 2 3 4 5 6 Burt, Jeff (18 May 2022). "Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware". The Register . Retrieved 20 May 2022.
↑ Molony, Seanan; Weckler, Adrian (17 May 2021). "Cyber experts hunt hidden hacking in all Government departments as Russian hackers target Health". Irish Independent . Retrieved 18 May 2021.

External links

Wizard Spider Group In-Depth Analysis - report by PRODAFT, 16 May 2022

This organization-related article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[ms-threat-actors-24-1] "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.

[rte-ransomware-crime-group-2] 1 2 3 4 5 6 7 8 9 10 Reynolds, Paul (18 May 2021). "'Wizard Spider': Who are they and how do they operate?". RTÉ News . Retrieved 18 May 2021.

[it-wizard-spider-profile-3] 1 2 3 4 5 6 7 8 9 10 11 12 13 Lally, Conor (18 May 2021). "Wizard Spider profile: Suspected gang behind HSE attack is part of world's first cyber-cartel". The Irish Times . Retrieved 19 May 2021.

[wired-inside-trickbot-4] Burgess, Matt (1 February 2022). "Inside Trickbot, Russia's Notorious Ransomware Gang". Wired . Retrieved 15 February 2022.

[mitre-mapping-to-wizard-spider-5] 1 2 "Mapping To Wizard Spider". MITRE Shield. Mitre Corporation. Archived from the original on 28 January 2021. Retrieved 18 May 2021.{{cite web}}: CS1 maint: unfit URL (link)

[analyst1-ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel-6] 1 2 3 4 DiMaggio, Jon. "Ransom Mafia - Analysis of the World's First Ransomware Cartel". Analyst1. Retrieved 19 May 2021.

[tr-meet-wizard-spider-7] 1 2 3 4 5 6 Burt, Jeff (18 May 2022). "Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware". The Register . Retrieved 20 May 2022.

[ii-cyber-experts-hunt-hidden-hacking-in-all-government-departments-as-russian-hackers-target-health-8] Molony, Seanan; Weckler, Adrian (17 May 2021). "Cyber experts hunt hidden hacking in all Government departments as Russian hackers target Health". Irish Independent . Retrieved 18 May 2021.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]