Wizard Spider

From Wikipedia, the free encyclopedia

Wizard Spider, also known as Trickbot, is a cybercrime group based in and around Saint Petersburg in Russia.[1][2][3] Some members may be based in Ukraine.[2] They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.[1][4]

The group has been a target of Europol, Interpol, FBI and also the National Crime Agency in the United Kingdom.[1]

Intelligence agencies say that the group does not attack targets in Russia, nor do key figures travel outside the country for fear of being arrested.[1][2] Their software is programmed to uninstall itself if it detects that the system uses the Russian language or if the system has an IP address in the former Soviet Union.[2]

Russia is suspected of tolerating Wizard Spider and even assisting them.[2]

Key figures are suspected of being involved with online attacks using Dyre software.[1]

In 2018 the groups began using Trickbot, Ryuk and Conti ransomware as their primary tools.[1]

They have simultaneously transferred Bitcoin from Ryuk and Conti ransomware attacks into their own wallets, implying they are carrying out several attacks using different malware.[2]

They have also developed espionage software Sidoh which only gathers information and does not hold it to ransom.[2][5]

They are very security conscious and do not openly advertise on the darknet.[1] They will only work with or sell access to criminals they trust.[1] They are known to belittle their victims via a leak site.[1] The leak site is also used to publish data they have stolen.[2]

Suspected attacks[]

They are suspected of being behind the Health Service Executive cyberattack in the Republic of Ireland.[6][1] It is the largest known attack against a health service computer system.[2]

Associates[]

They are linked to UNC1878, TEMP.MixMaster, and Grim Spider.[4]

According to a report by Jon DiMaggio entitled Ransom Mafia: Analysis of the world’s first ransomware cartel the group is part of a collections of criminals known as the Ransom Cartel or Maze Cartel.[2] They are the largest of the groups active in the cartel.[2][5] The other members are: TWISTED SPIDER, VIKING SPIDER, Lockbit gang and SunCrypt gang.[2] All use ransomware to extort money.[2][5] (SunCrypt have since retired.[5])

References[]

  1. ^ a b c d e f g h i j Reynolds, Paul (18 May 2021). "'Wizard Spider': Who are they and how do they operate?". RTÉ News. Retrieved 18 May 2021.
  2. ^ a b c d e f g h i j k l m Lally, Conor (18 May 2021). "Wizard Spider profile: Suspected gang behind HSE attack is part of world's first cyber-cartel". The Irish Times. Retrieved 19 May 2021.
  3. ^ Burgess, Matt (2022-02-01). "Inside Trickbot, Russia's Notorious Ransomware Gang". Wired. Retrieved 2022-02-15.
  4. ^ a b "Mapping To Wizard Spider". MITRE Shield. Mitre Corporation. Retrieved 2021-05-18.
  5. ^ a b c d DiMaggio, Jon. "Ransom Mafia - Analysis of the World's First Ransomware Cartel". Analyst1. Analyst1. Retrieved 2021-05-19.
  6. ^ Molony, Seanan; Weckler, Adrian (17 May 2021). "Cyber experts hunt hidden hacking in all Government departments as Russian hackers target Health". Irish Independent. Retrieved 18 May 2021.
Stub icon

This organization-related article is a stub. You can help Wikipedia by .

  • v
  • t
Retrieved from ""