Wizard Spider

Wizard Spider, also known as Trickbot, is a cybercrime group based in and around Saint Petersburg in Russia.[1][2][3] Some members may be based in Ukraine.[2] They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.[1][4]

The group has been a target of Europol, Interpol, FBI and also the National Crime Agency in the United Kingdom.[1]

Intelligence agencies say that the group does not attack targets in Russia, nor do key figures travel outside the country for fear of being arrested.[1][2] Their software is programmed to uninstall itself if it detects that the system uses the Russian language or if the system has an IP address in the former Soviet Union.[2]

Russia is suspected of tolerating Wizard Spider and even assisting them.[2]

Key figures are suspected of being involved with online attacks using Dyre software.[1]

In 2018 the groups began using Trickbot, Ryuk and Conti ransomware as their primary tools.[1]

They have simultaneously transferred Bitcoin from Ryuk and Conti ransomware attacks into their own wallets, implying they are carrying out several attacks using different malware.[2]

They have also developed espionage software Sidoh which only gathers information and does not hold it to ransom.[2][5]

They are very security conscious and do not openly advertise on the darknet.[1] They will only work with or sell access to criminals they trust.[1] They are known to belittle their victims via a leak site.[1] The leak site is also used to publish data they have stolen.[2]

Suspected attacks

They are suspected of being behind the Health Service Executive cyberattack in the Republic of Ireland.[6][1] It is the largest known attack against a health service computer system.[2]

Associates

They are linked to UNC1878, TEMP.MixMaster, and Grim Spider.[4]

According to a report by Jon DiMaggio entitled Ransom Mafia: Analysis of the world’s first ransomware cartel the group is part of a collections of criminals known as the Ransom Cartel or Maze Cartel.[2] They are the largest of the groups active in the cartel.[2][5] The other members are: TWISTED SPIDER, VIKING SPIDER, Lockbit gang and SunCrypt gang.[2] All use ransomware to extort money.[2][5] (SunCrypt have since retired.[5])

References
  1. Reynolds, Paul (18 May 2021). "'Wizard Spider': Who are they and how do they operate?". RTÉ News. Retrieved 18 May 2021.
  2. Lally, Conor (18 May 2021). "Wizard Spider profile: Suspected gang behind HSE attack is part of world's first cyber-cartel". The Irish Times. Retrieved 19 May 2021.
  3. Burgess, Matt (2022-02-01). "Inside Trickbot, Russia's Notorious Ransomware Gang". Wired. Retrieved 2022-02-15.
  4. "Mapping To Wizard Spider". MITRE Shield. Mitre Corporation. Retrieved 2021-05-18.
  5. DiMaggio, Jon. "Ransom Mafia - Analysis of the World's First Ransomware Cartel". Analyst1. Analyst1. Retrieved 2021-05-19.
  6. Molony, Seanan; Weckler, Adrian (17 May 2021). "Cyber experts hunt hidden hacking in all Government departments as Russian hackers target Health". Irish Independent. Retrieved 18 May 2021.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.