Wizard Spider

Wizard Spider is a cyber threat actor group linked to Russia. It is best identified for the multitude of malware families they have developed and released since they were identified in 2017. This malware includes Conti, Trickbot, BazarLoader, and Ryuk malware. Wizard Spider is a large and well-funded organization. It has the resources to address the full range of a cyberattack campaign activity, from early surveillance and intrusion to payment and laundering of the extorted funds. Wizard Spider is behind millions of spam emails and the resulting data breaches, ransomware attacks, and theft of sensitive data. Wizard Spider targets supply chain companies, defense contractors, a broad mix of large enterprises, and public sector organizations, including utility providers and healthcare facilities.

Recently Prodaft, a cybersecurity company, released a report that indicates that Wizard Spider is perhaps one of the most successful threat actors, with assets easily exceeding several hundreds of millions of dollars. More concerning is that Wizard Spider includes multiple cells or subgroups of threat actors that can manage portions of threat campaigns from the earliest stages to the final laundering of digital money. Additionally, wizard Spider appears to fund research & development in pursuit of new and improved tools and enhanced malicious techniques and procedures.

Wizard Spider’s attacks leverage tools to support targeted phishing activity and business email compromise. Once Wizard Spider has penetrated the network, they may utilize Cobalt Strike to gain administrator privileges. Then, perhaps Conti ransomware is deployed, assets are encrypted, and the ransom process can be monetized. Wizard Spider is also known for the use of a custom cracking station. The cracking stations include cracked hashes and run password crackers to try to compromise domain credentials. Additionally, wizard Spider uses a variety of virtual private networks to camouflage their activity. Further, they employ criminal subcontractors that run an illegal call center to call the organizations and individuals whose files are encrypted and then coerce them into paying the ransom.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.