Wizard Spider
Wizard Spider, also known as Trickbot, is a cybercrime group based in and around Saint Petersburg in Russia.[1][2][3] Some members may be based in Ukraine.[2] They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.[1][4]
The group has been a target of Europol, Interpol, FBI and also the National Crime Agency in the United Kingdom.[1]
Intelligence agencies say that the group does not attack targets in Russia, nor do key figures travel outside the country for fear of being arrested.[1][2] Their software is programmed to uninstall itself if it detects that the system uses the Russian language or if the system has an IP address in the former Soviet Union.[2]
Russia is suspected of tolerating Wizard Spider and even assisting them.[2]
Key figures are suspected of being involved with online attacks using Dyre software.[1]
In 2018 the groups began using Trickbot, Ryuk and Conti ransomware as their primary tools.[1]
They have simultaneously transferred Bitcoin from Ryuk and Conti ransomware attacks into their own wallets, implying they are carrying out several attacks using different malware.[2]
They have also developed espionage software Sidoh which only gathers information and does not hold it to ransom.[2][5]
They are very security conscious and do not openly advertise on the darknet.[1] They will only work with or sell access to criminals they trust.[1] They are known to belittle their victims via a leak site.[1] The leak site is also used to publish data they have stolen.[2]
Suspected attacks[]
They are suspected of being behind the Health Service Executive cyberattack in the Republic of Ireland.[6][1] It is the largest known attack against a health service computer system.[2]
Associates[]
They are linked to UNC1878, TEMP.MixMaster, and Grim Spider.[4]
According to a report by Jon DiMaggio entitled Ransom Mafia: Analysis of the world’s first ransomware cartel the group is part of a collections of criminals known as the Ransom Cartel or Maze Cartel.[2] They are the largest of the groups active in the cartel.[2][5] The other members are: TWISTED SPIDER, VIKING SPIDER, Lockbit gang and SunCrypt gang.[2] All use ransomware to extort money.[2][5] (SunCrypt have since retired.[5])
References[]
- ^ a b c d e f g h i j Reynolds, Paul (18 May 2021). "'Wizard Spider': Who are they and how do they operate?". RTÉ News. Retrieved 18 May 2021.
- ^ a b c d e f g h i j k l m Lally, Conor (18 May 2021). "Wizard Spider profile: Suspected gang behind HSE attack is part of world's first cyber-cartel". The Irish Times. Retrieved 19 May 2021.
- ^ Burgess, Matt (2022-02-01). "Inside Trickbot, Russia's Notorious Ransomware Gang". Wired. Retrieved 2022-02-15.
- ^ a b "Mapping To Wizard Spider". MITRE Shield. Mitre Corporation. Retrieved 2021-05-18.
- ^ a b c d DiMaggio, Jon. "Ransom Mafia - Analysis of the World's First Ransomware Cartel". Analyst1. Analyst1. Retrieved 2021-05-19.
- Cyberattack gangs
- Hacking in the 2010s
- Hacking in the 2020s
- Russian advanced persistent threat groups
- Organization stubs