Hubbry Logo
Wizard SpiderWizard SpiderMain
Open search
Wizard Spider
Community hub
Wizard Spider
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Wizard Spider
Wizard Spider
Wizard Spider
View on Wikipedia
from Wikipedia

Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest,[1] was a cybercrime group based in and around Saint Petersburg in Russia.[2][3][4] Some members may be based in Ukraine.[3] They are estimated to number about 80, some of whom may not know they are employed by a criminal organisation.[2][5]

The group has been a target of Europol, Interpol, FBI and also the National Crime Agency in the United Kingdom.[2]

History

[edit]

In 2018 the groups began using Trickbot, Ryuk and Conti ransomware as their primary tools.[2]

The group is also responsible for developing the espionage software Sidoh, which only gathers information and does not hold it to ransom.[3][6] In 2020 their software infected three Minnesota medical facilities, locking staff out of computers,[7] which required court orders to try and force the hackers out of the command and control servers.[7][8]

By the start of February 2022 some internal communications from the group had been leaked.[9]

In late February 2022, members of the group initially supported the Russian invasion of Ukraine,[10][11] causing internal group communications to be leaked by an anonymous person in support of Ukraine.[12][13][14]

The groups servers were eventually shut down in 2022.[7][15]

In February 2023 United States Secretary of State Antony Blinken announced that the United States and United Kingdom had sanctioned seven men for allegedly spreading Conti, Ryuk and Trickbot malware.[16] Travel bans were imposed on them, their assets were seized and American and British companies and citizens are prohibited from conducting any business with them.[16] Their names were Vitaliy Kovalev, Valery Sedletski, Valentin Karyagin, Maksim Mikhailov, Dmitry Pleshevskiy, Mikhail Iskritskiy and Ivan Vakhromeyev.[16] Also, any foreign banks that knowingly provide significant services to those men could also be sanctioned.[16]

In September 2023 the USA and UK sanctioned another 11 men connected to Wizard Spider.[7] Their assets in the USA and UK are to be seized and travel bans imposed on them.[7] Wizard Spider was linked to Russian intelligence by the American government.[7] The men named were:

Name Role Aliases
Andrey Zhuykov[7] senior administrator[7] Dif, Defender[7]
Maksim Galochkin[7] test leader[7] Bentley, Crypt, and Volhvb[7]
Maksim Rudenskiy[7] software development leader[7]
Mikhail Tsarev[7] human resources and finance[7] Mango, Alexander Grachev, Super Misha, Ivanov Mixail, Misha Krutysha, and Nikita Andreevich Tsarev[7]
Dmitry Putilin[7] purchase of infrastructure[7] Grad, Staff[7]
Maksim Khaliullin[7] human resources manager, procurement of servers and other infrastructure[7] Kagas[7]
Sergey Loguntsov[7] software developer[7]
Vadym Valiakhmetov[7] software developer[7] Weldon, Mentos, and Vasm[7]
Artem Kurov[7] software developer[7] Naned[7]
Mikhail Chernov[7] internal utilities[7] Bullet[7]
Alexander Mozhaev[7] administrative team[7] Green, Rocco[7]

Other indictments were unsealed, including one in southern California against Maksim Galochkin, on three charges of hacking and deploying Conti on Scripps health hospitals.[7]

As of October 2024 it was disbanded.[17]

Modus operandi

[edit]

PRODAFT wrote a technical report describing their attacks and organisation. Attacks usually begin by sending large amounts of spam to targets in order to trick victims into downloading malware. They use Qbot and SystemBC malware, as well as writing their own. A separate team pinpoints valuable targets and uses Cobalt Strike to attack them. If they gain control of the system, they deploy ransomware.[18]

They have simultaneously transferred Bitcoin from Ryuk and Conti ransomware attacks into their own wallets, implying they are carrying out several attacks using different malware.[3]

They are very security conscious and do not openly advertise on the darknet. They will only work with or sell access to criminals they trust. They are known to belittle their victims via a leak site.[2] The leak site is also used to publish data they have stolen.[3]

Intelligence agencies say that the group does not attack targets in Russia, nor do key figures travel outside the country for fear of being arrested.[2][3] The Irish Times reports Wizard Spider software is programmed to uninstall itself if it detects that the system uses the Russian language or if the system has an IP address in the former Soviet Union.[3] However, research by PRODAFT found the majority of SystemBC-infected machines to be within Russia (20.5%).[18]

Russia is suspected of tolerating Wizard Spider and even assisting them.[3]

Suspected attacks

[edit]

They are suspected of being behind the Health Service Executive cyberattack in the Republic of Ireland.[19][2] It is the largest known attack against a health service computer system.[3]

Key figures are suspected of being involved with online attacks using Dyre software.[2]

Associates

[edit]

Members of the group have been linked to UNC1878, TEMP.MixMaster, and Grim Spider.[5]

A research report by Jon DiMaggio suggests the group is part of a collections of criminals known as the Ransom Cartel or Maze Cartel.[3] Other members include TWISTED SPIDER, VIKING SPIDER, LockBit gang and SunCrypt gang.[3] All use ransomware to extort money.[3][6] SunCrypt have since retired.[6]

The PRODAFT report authors found that Wizard Spider sometimes backed up data to a server and that the server contained data from systems that had also been attacked by REvil, though the authors could not conclude which of the two groups had taken the data.[18]

Naming of leader by German Police

[edit]

In May 2025 the leader, known by the alias 'Stern', was named as Vitaly Nikolaevich Kovalev, a 36 year old man living in Russia.[20]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Wizard Spider

View on Grokipedia
from Grokipedia
Wizard Spider is a Russia-based cybercriminal designated by threat intelligence researchers as the primary operator of the modular banking trojan, which enables initial access, , and deployment of payloads such as Ryuk and Conti. The group first emerged in 2016 with TrickBot's distribution for financial fraud before pivoting in 2018 to "" tactics targeting high-value organizations for . Wizard Spider's toolkit includes Cobalt Strike beacons for command-and-control and custom loaders like BazarLoader, allowing modular adaptation to evade defenses and facilitate lateral movement in compromised networks. Its ransomware operations, particularly Ryuk, have inflicted significant damage on sectors including healthcare, manufacturing, and government, with attacks disrupting services and extracting ransoms in the millions of dollars. The syndicate's evolution to Conti ransomware by late 2019 marked a shift toward ransomware-as-a-service models, sharing infrastructure and tactics with Ryuk campaigns. Internal data leaks, such as the 2021 exposure and 2023 insider documents, have revealed hierarchical structures, developer identities, and operational details, yet the group persisted through tool updates and affiliate networks until disruptions from Russia's 2022 invasion of fragmented Russian-speaking ecosystems. actions, including U.S. domain seizures against infrastructure in 2021, highlighted vulnerabilities but did not dismantle core operations, underscoring the challenges in attributing and disrupting transnational entities reliant on resilient architectures.

Overview

Origins and Attribution

Wizard Spider, a cybercrime syndicate specializing in malware development and deployment, first surfaced publicly in September 2016 through the initial distribution of TrickBot, a modular banking trojan designed for credential theft and financial fraud, often offered via malware-as-a-service models. Early operations focused on commodity malware campaigns targeting banking sectors, with TrickBot's modular architecture allowing rapid adaptation for various cybercrime purposes. Attribution of Wizard Spider to Russian-speaking cybercriminals is supported by cybersecurity analyses from firms like , which designate the group as originating from the based on infrastructure hosting, code artifacts, and operational behaviors. Key indicators include malware self-deactivation upon detection of Russian-language environments or IP addresses from and former Soviet republics, as well as a deliberate avoidance of victims in those regions to evade local . This pattern, observed in samples, aligns with profit-driven actors operating under implicit tolerance from Russian authorities, who rarely prosecute such groups when they spare domestic targets. The group's base is primarily linked to the area in , with possible peripheral members in , though core development and command-and-control infrastructure trace to Russian domains. No evidence ties Wizard Spider to state sponsorship; instead, attributions emphasize autonomous cybercriminal motives, evolving from banking trojans to targeted without geopolitical objectives. Shared tactics, techniques, and procedures (TTPs) across and subsequent tools have enabled consistent tracking by threat intelligence providers, reinforcing the single-group attribution despite modular operations.

Primary Malware and Toolset

Wizard Spider's primary malware is , a modular banking trojan first identified in 2016 and continuously developed by the group for initial access, credential theft, and network reconnaissance. TrickBot supports capabilities such as of emails and credentials, host enumeration including / checks, and lateral movement via exploits like , often running from memory to evade detection. Its modular architecture allows customization for tasks like cryptomining or serving as a dropper for , with infections exceeding 1 million systems globally by 2020. The group deploys Ryuk ransomware as the culmination of TrickBot-enabled intrusions, typically after reconnaissance and privilege escalation, with the malware encrypting files using AES-256 and RSA-2048 algorithms and appending a .Ryuk extension. Ryuk, derived from the Hermes ransomware variant, includes ransom notes demanding payment in Bitcoin via a ReadMe.html or .txt file, and has been linked to over $61 million in extorted funds since its emergence in 2018. Post-2020 updates incorporated code obfuscation techniques to hinder analysis, such as anti-disassembly methods. Wizard Spider's toolset extends beyond core malware to include BazarLoader, a backdoor and loader distributed via phishing emails mimicking legitimate software, which facilitates Cobalt Strike beacon deployment for command-and-control and further exploitation. They also leverage Conti ransomware, introduced in June 2020, featuring selective encryption with ChaCha algorithms and a data leak site for extortion, compromising over 120 networks by late 2020. Additional tools encompass Emotet for initial vector delivery leading to TrickBot, PowerShell scripts for evasion, and commercial frameworks like Cobalt Strike for persistence and lateral movement across the attack chain. This ecosystem enables end-to-end operations from phishing or malvertising to ransomware execution.

History

Early Development (2016–2018)

Wizard Spider, a financially motivated group, first surfaced in September 2016 with the release of , a modular banking trojan initially designed for theft and financial . emerged as a successor to earlier like Dyre, incorporating similar code structures, web injection techniques for manipulating banking websites, and operational tactics aimed at harvesting login credentials from infected systems. The malware's core loader facilitated dynamic module downloads, enabling functions such as keylogging, screenshot capture, and to command-and-control servers. In its early iterations from late 2016 through 2017, primarily targeted financial institutions, with campaigns focusing on users in and the through emails and . The group's development emphasized stealth and adaptability, using obfuscated payloads and anti-analysis measures to evade detection, while building a infrastructure for scalable infections. Attribution to Wizard Spider stems from consistent infrastructure overlaps, code signing certificates, and tactics observed in operations, as analyzed by cybersecurity firms tracking the 's propagation. By 2018, TrickBot's modular framework had expanded to include additional capabilities like harvesting and browser credential dumping, reflecting iterative refinements to support broader information-stealing operations beyond initial banking focus. However, the group maintained a primary emphasis on financial gain through automated theft rather than destructive payloads, with no evidence of integration during this phase. These enhancements positioned as a versatile platform, setting the stage for future escalations while relying on underground forums for affiliate distribution.

Expansion into Ransomware (2018–2020)

In late 2018, Wizard Spider, previously focused on financial theft via the banking trojan, expanded into operations by deploying Ryuk against large enterprises, adopting a "" strategy targeting high-value organizations for substantial payouts. Ryuk first appeared in August 2018, with its code derived from the earlier Hermes ransomware but customized for targeted extortion rather than widespread distribution. This shift leveraged existing TrickBot infections for initial access—often delivered through or Emotet droppers—followed by manual lateral movement using tools like , RDP, and PsExec to deploy Ryuk after network reconnaissance, enabling encryption of critical systems and ransom demands in . By 2019, Ryuk deployments intensified, with Wizard Spider refining tactics to prioritize U.S. and European firms in sectors like manufacturing and media, amassing over 705 BTC (approximately $3.7 million USD at the time) across 52 transactions by early 2019 alone, according to blockchain analysis of associated wallets. The group's operations demonstrated a departure from TrickBot's automated wire fraud, emphasizing human-operated ransomware for higher yields, with demands escalating based on victim reconnaissance; for instance, following U.S. Department of Justice indictments in November 2018, operators adjusted Bitcoin addresses in ransom notes to evade tracking. Mandiant observed this pattern in intrusions where TrickBot compromises rapidly escalated to Ryuk within weeks, confirming the integrated toolset. Into 2020, Wizard Spider sustained Ryuk activity amid disruptions, temporarily pausing deployments from March to September before resuming with enhanced code obfuscation, while experimenting with alternatives like Conti ransomware introduced in June 2020. The FBI later estimated Ryuk operations generated over $61 million USD in ransoms by mid-2020, underscoring the profitability of this expansion and Wizard Spider's adaptability in maintaining operational resilience post-initial TrickBot-focused era. This period solidified their role in the ransomware ecosystem, with Ryuk exclusively controlled by the group unlike more commoditized malware.

Disruptions and Evolution (2020–Present)

In October 2020, coordinated an international effort with partners including , Lumen, and to disrupt the botnet operated by Wizard Spider, seizing or rendering inoperable approximately 150 command-and-control domains and eliminating 94% of its by October 18. This action aimed to hinder the group's ability to deploy such as Ryuk, which relied on for initial access and lateral movement in targeted attacks. Despite the setback, Wizard Spider demonstrated resilience by rapidly rebuilding infrastructure and adapting their modular toolkit, incorporating enhancements to evasion techniques and expanding deployment of alternative loaders like BazarLoader alongside continued use of modules for credential harvesting and remote access. By late 2020 and into 2021, the group evolved its ransomware operations, shifting emphasis from Ryuk to , a Ransomware-as-a-Service (RaaS) variant they developed and deployed through TrickBot-compromised networks, targeting high-value sectors including healthcare and for multimillion-dollar extortions. Conti's allowed affiliates to conduct double-extortion by exfiltrating prior to encryption, amplifying financial pressure on victims. Operations persisted post-disruption, with detections remaining prevalent despite a noted decline in overall efficacy due to improved defenses and modular updates that incorporated Cobalt Strike for . The group's trajectory shifted dramatically in early 2022 following Russia's invasion of , when Conti operators publicly pledged support for the Russian government, prompting a rogue insider to leak over 60 terabytes of internal data—including source code, chat logs, and tools—exposing operational details and affiliates. This breach eroded Conti's secrecy and operational cohesion, leading to its effective shutdown by mid-2022, though core Wizard Spider members repurposed leaked tools and crypters in successor strains like Black Basta while maintaining for initial access. Law enforcement responses intensified, with U.S. Treasury and DOJ sanctions in September 2023 targeting 's infrastructure and operators for ties to Russian , alongside actions, yet the group continued low-profile activities into 2025, leveraging evolved tactics such as and exploit kits for persistence. In May 2025, Operation Endgame 2.0 by and partners disrupted alongside other initial access brokers, but analysts note ongoing adaptations, positioning Wizard Spider as a enduring threat in Russia's ecosystem despite repeated setbacks.

Operations

Initial Access Techniques

Wizard Spider primarily gains initial access to target networks through campaigns delivering modular such as TrickBot and BazarLoader. , operational since 2016, is often distributed via malicious spam (malspam) emails containing attachments or links, frequently leveraging as a vector until its disruption in September 2020; post-disruption, TrickBot campaigns resumed with unique configurations tagged for group identification, such as "mor131." BazarLoader, observed in campaigns from March to September 2020, is deployed via spam emails mimicking legitimate business communications (e.g., complaints or phone call notifications) with links to compromised , leading to loader and backdoor payloads, including variants. In Conti ransomware operations, which Wizard Spider shifted to prominently after mid-2020, initial access diversifies to include spearphishing with tailored attachments embedding scripts for malware like TrickBot, IcedID, or Cobalt Strike beacons. Actors also exploit unpatched public-facing applications and vulnerabilities in external assets to achieve footholds without user interaction. Additional vectors encompass credential-based access, particularly via stolen or weak (RDP) credentials, often acquired from underground markets or initial access brokers within ransomware-as-a-service ecosystems. Social engineering tactics, such as (voice phishing) calls, and promotion of fake software through further facilitate entry, enabling subsequent deployment of like Conti or Ryuk. These methods reflect Wizard Spider's evolution from banking trojan distribution to targeted "big game hunting," prioritizing high-value victims with minimal detection.

Lateral Movement and Persistence

Wizard Spider operators establish persistence through multiple mechanisms following initial access via malware such as or BazarLoader. Common techniques include modifying registry run keys under HKCU\SOFTWARE\[Microsoft](/page/Microsoft)\Windows\CurrentVersion\Run and placing shortcuts in startup folders to ensure automatic execution upon user logon. They also leverage Winlogon helper DLLs by altering HKLM\SOFTWARE\[Microsoft](/page/Microsoft)\Windows NT\CurrentVersion\Winlogon entries, such as Userinit configurations, to load malicious components during system boot. Additionally, persistence is achieved by creating or modifying Windows services, exemplified by installing as the ControlServiceA service, and scheduling tasks like "WinDotNet" to execute payloads periodically. Account creation further supports long-term access, with local and domain admin accounts generated to facilitate ongoing operations. For lateral movement, the group exploits stolen credentials harvested via modules like TrickBot's pwgrab64 to traverse networks using legitimate remote services. (RDP) is frequently employed for exploration and payload deployment across hosts. (SMB) protocol and Windows Admin Shares enable file copying and execution, including dropping Cobalt Strike beacons on domain controllers from temporary directories. Tools such as PsExec and services.exe are used for remote service execution, often in conjunction with pass-the-hash techniques via Invoke-SMBExec to propagate like Ryuk or Conti without alerting defenses. (WMI) and facilitate queries and command execution for broader and tool transfer. PowerShell Empire, deployed as a service, aids in obfuscated script execution and reverse shells to maintain control during traversal, which can span days to months depending on network size. These methods prioritize speed in high-value targets, as observed in Ryuk deployments achieving full within hours.

Ransomware Deployment and Extortion

Wizard Spider deploys ransomware such as Ryuk and Conti following initial access and lateral movement within victim networks, typically after reconnaissance to identify high-value targets. The group disables defensive measures prior to encryption, including stopping backup services via commands like taskkill.exe and net.exe, and deleting volume shadow copies using vssadmin and wmic. Ryuk, introduced in August 2018, employs AES-256 and RSA-2048 encryption algorithms to lock files, appending the .Ryuk extension and leaving ransom notes with instructions for payment in Bitcoin via ProtonMail contacts. Conti, deployed since June 2020, uses a ChaCha cipher for selective encryption focused on network shares and avoids encrypting files larger than 50 MB to preserve operational functionality. Prior to deployment, Wizard Spider exfiltrates sensitive data to enable double , employing tools like Sidoh (also known as Ryuk Stealer), a keyword-based utility that scans drives for files matching extensions such as .docx, .pdf, and .xls, then uploads them via FTP to attacker-controlled servers. Sidoh variants, observed from June 2019 to January 2020, incorporate deny lists to skip system files and use hardcoded IP addresses for transfer, facilitating the theft of proprietary, financial, or governmental documents. Additional exfiltration occurs over command-and-control channels or alternative protocols like FTP and web services, with data staged for upload to cloud providers. Extortion involves demanding ransoms in , with Ryuk victims collectively paying over $61 million according to FBI estimates, while Conti operations compromised more than 120 networks and publicized leaks on dedicated sites launched in August 2020. The group pressures victims through hired callers and threats to release exfiltrated , operating a ransomware-as-a-service model where affiliates receive shares of payments funneled through shared addresses linking Ryuk and Conti proceeds. Wizard Spider avoids targets in and CIS countries, uninstalling upon detection of Russian-language systems or IP geolocation.

Notable Attacks

Healthcare and Critical Infrastructure Targets

Wizard Spider has conducted multiple ransomware attacks on healthcare organizations, primarily using Ryuk in 2020 and Conti from 2021 onward, often initiating infections via malware to achieve initial access and lateral movement. These operations targeted the health and (HPH) sector, where Ryuk alone represented approximately one-third of reported incidents in the United States through October 2020. The group's tactics exploited vulnerabilities in unpatched systems and weak , leading to widespread and operational disruptions during a period of heightened strain from the . A prominent example occurred on September 27, 2020, when Ryuk ransomware struck Universal Health Services (UHS), affecting more than 400 facilities across 37 U.S. states, the United Kingdom, and Ireland. The attack rendered electronic health records, imaging systems, and communication tools inaccessible, forcing hospitals to revert to paper-based processes, divert ambulances, and delay non-emergency procedures. UHS reported restoring systems after about three weeks, with total losses estimated at $67 million, including lost revenue and remediation costs. Additional Ryuk deployments in October 2020 impacted facilities such as Sky Lakes Medical Center in Oregon and St. Lawrence Health in New York, contributing to a wave of nearly two dozen U.S. hospital disruptions. Following a temporary shift to Conti in early 2020, Wizard Spider resumed Ryuk usage but increasingly leveraged Conti for healthcare targets, as evidenced by the , 2021, attack on Ireland's (HSE), the national public health system. The Conti variant encrypted critical IT , including patient records and administrative systems, halting routine services, diagnostic testing, and programs amid the . HSE declined ransom payment, leading to and leaks on Conti's site; recovery efforts, involving system rebuilds and manual operations, incurred costs exceeding €100 million. Attribution to Wizard Spider stemmed from forensic linking the operation to the group's and tactics. While healthcare formed a core focus due to the sector's operational urgency and willingness to pay ransoms, Wizard Spider's Conti operations extended to other , including government and logistics entities. For instance, Conti affiliates disrupted Costa Rican ministries and public services in April–May 2022, prompting a national emergency declaration and infrastructure outages. These attacks aligned with the group's broader evolution toward high-impact targets, though direct ties to Wizard Spider's core operators relied on blockchain and similarities between Conti and Ryuk. U.S. agencies noted the potential for such tactics to cascade into broader failures, emphasizing the need for sector-specific defenses.

Corporate and Financial Victims

In 2021, Wizard Spider deployed Ryuk ransomware against Molson Coors, a multinational brewing corporation, disrupting operations across North American facilities including production halts and email outages starting March 15; the attack, linked to prior TrickBot infections, underscored the group's focus on high-revenue industrial targets. ExaGrid Systems, a U.S.-based data storage and backup technology firm, fell victim to a Conti ransomware attack in June 2021, resulting in encrypted systems and a confirmed ransom payment of $2.6 million to regain access, as disclosed by the company amid operational downtime. A Nokia subsidiary in Georgia, USA, suffered a data breach in August 2021 following a Conti ransomware incursion, exposing employee and customer information; the incident, part of broader corporate targeting, highlighted Wizard Spider's evolution from Ryuk to Conti for enterprise extortion. Conti operations, attributed to Wizard Spider, claimed Sea-Invest, a Belgian oil terminal operator, among over 50 corporate victims in March 2022, with leaked data indicating supply chain disruptions in energy logistics; such attacks netted the group an estimated $180 million annually from corporate ransoms. Financial sector victims remain sparsely documented in ransomware deployments, as Wizard Spider's initial TrickBot malware focused on banking trojan theft rather than encryption; however, the group's toolkit enabled data exfiltration from financial entities prior to Ryuk or Conti drops, with over 850 total victims across Conti leaks including implied corporate finance exposures.

Associates and Networks

Malware Ecosystem Partnerships

Wizard Spider, the cybercriminal group behind the malware and ransomware strains such as Ryuk and Conti, operates within a collaborative malware ecosystem characterized by affiliations with initial access brokers and tool-sharing arrangements with other threat actors. These partnerships enable the group to outsource network infiltration while focusing on deployment and , following a Ransomware-as-a-Service (RaaS) model where affiliates receive a share of proceeds in exchange for providing compromised access. For instance, TrickBot operators have expanded distribution through partnerships with cybercrime affiliates, who leverage the malware for banking trojan operations before handing off to Wizard Spider for execution. Evidence of inter-group cooperation includes shared infrastructure and modules with LUNAR SPIDER, the operators of BokBot (a variant of ). In February 2019, observed a LUNAR SPIDER affiliate distributing Wizard Spider's malware, indicating tactical alliances for mutual malware propagation. By March 2019, further analysis revealed the use of a shared proxy module between BokBot and campaigns, suggesting or direct collaboration to enhance evasion and persistence across operations. Such arrangements extend to crypter tools developed by Wizard Spider (also tracked as ITG23), which Security identified in May 2022 as being adopted by diverse cybercriminals for obfuscating payloads, thereby broadening the group's influence through tool dissemination. Blockchain analysis by TRM Labs in April 2022 corroborated operational ties between Wizard Spider, Ryuk, and Conti, revealing shared wallet addresses and fund flows that link these variants under a unified ecosystem, with affiliates facilitating initial access sales to Wizard Spider actors. This integration positions Wizard Spider within a loose "cybercrime cartel" of Russian-speaking groups, including entities like Viking Spider () and Twisted Spider (GandCrab/LockBit precursors), where mentors share hacking techniques, breached data, and infrastructure to maximize collective gains, as reported in July 2021 based on leaked communications and operational overlaps. These partnerships, while opportunistic, rely on non-aggression pacts to avoid intra-ecosystem conflicts, allowing Wizard Spider to scale attacks without developing all access vectors internally.

Affiliation with Broader Cybercrime Cartels

Wizard Spider operates within a interconnected Russian-speaking , where it functions both as a malware developer (primarily , active since 2016) and as a deployer, facilitating handoffs to affiliated operators for . The group has demonstrated operational overlap with ransomware-as-a-service (RaaS) models, using for initial access and lateral movement before deploying payloads like Ryuk (active since mid-2018, with FBI-estimated extortions exceeding $61 million) or Conti (launched around August 2020, compromising over 120 networks). These connections are evidenced by shared codebases, such as modules integrated into Conti variants, and blockchain-traced payments linking actors across Ryuk and Conti operations, including a July 2021 transfer of $85,000 from a known Ryuk to salaries for Conti developers. Analyses indicate Conti emerged as a potential rebrand or evolution of Ryuk around May 2020, with Wizard Spider maintaining control over both through merged infrastructure by late 2021. This integration allowed Wizard Spider to expand its toolset, incorporating BazarLoader for broader infection vectors and Cobalt Strike for post-exploitation, often in tandem with Ryuk or Conti ransomware. While not a monolithic entity, the group collaborates opportunistically with access brokers and affiliates, such as through Emotet (operated by Mummy Spider) distributing TrickBot payloads as observed in October 2020. Claims of Wizard Spider's formal membership in a "Ransom Cartel" or ""—involving data-sharing and mentoring with groups like LockBit or —stem from observed technique exchanges among Russian actors but lack structural evidence, as Maze operators publicly denied cartel formation in 2021. Instead, affiliations appear tactical, including loose ties to Qbot operators for modular enhancements and broader ecosystem partnerships where initial access is sold to ransomware affiliates. These dynamics reflect a profit-driven network rather than a centralized syndicate, with Wizard Spider's persistence evidenced by temporary disruptions like the September 2020 TrickBot C2 takedown, which prompted rapid reconfiguration.

Leadership and Law Enforcement

Identified Key Figures

Vitaly Nikolaevich Kovalev, a 36-year-old Russian national, has been identified by German Federal Criminal Police (BKA) as the founder and leader of the group, synonymous with Wizard Spider, operating under the alias "." U.S. and U.K. authorities sanctioned him in February 2023 as a senior figure responsible for overseeing 's development and deployment, which enabled strains including Ryuk and Conti, resulting in hundreds of millions in extorted funds. Kovalev, also known by online monikers "" and "," facilitated the group's evolution from banking trojan operations starting in 2016 into a broader ecosystem. Mikhail Tsarev, another Russian national using aliases such as "Mango," "Alexander Grachev," and "Super Misha," played a key role in deploying Trickbot and Conti malware within Wizard Spider's operations. He was indicted by a U.S. federal grand jury in September 2023 alongside associates for conspiracy to commit wire fraud and computer fraud in connection with Trickbot malware distribution and Conti ransomware attacks targeting global victims. Tsarev faced additional EU sanctions in June 2024 for enabling destructive cyber activities linked to the group. Maksim Galochkin, operating under handles "" and "Benalen," led a team of testers for Wizard Spider and contributed to the technical deployment of and Conti. Sanctioned by the U.S. and U.K. in September 2023, and by the in June 2024, Galochkin was charged in the same U.S. indictment as Tsarev for facilitating schemes that compromised and corporate networks worldwide. Among other sanctioned associates, Valery Sedletski and Valentin Karyagin, both Russians, were designated in February 2023 for their involvement in Trickbot's infrastructure, including and operational support, though their exact hierarchies remain less specified in public attributions. These identifications stem primarily from coordinated enforcement efforts, revealing Wizard Spider's hierarchical structure centered on Russian developers and operators evading capture through pseudonyms and jurisdictional protections.

Attribution Efforts and Takedowns

Attribution of activities to Wizard Spider has primarily relied on technical indicators shared by cybersecurity firms and law enforcement agencies, including overlapping infrastructure, malware signatures, and consistent tactics, techniques, and procedures (TTPs) observed in Trickbot deployments leading to Ryuk ransomware infections. Microsoft first publicly designated the actors as Wizard Spider in 2019, linking them to Trickbot's modular evolution into ransomware enablers based on command-and-control (C2) server analysis and infection chains affecting over a million devices since 2016. Mandiant tracked the group as UNC1878, attributing over 90% of Ryuk incidents to them through endpoint logging, lateral movement patterns like Cobalt Strike usage, and post-exploitation behaviors in victim networks from 2018 onward. CrowdStrike and ESET corroborated these links via reverse engineering of Trickbot variants and Ryuk payloads, noting code reuse and operational overlaps with Conti ransomware, which emerged as a successor strain around 2020. Law enforcement attribution efforts have integrated these private-sector insights, with the FBI issuing alerts in 2019 and 2020 identifying Wizard Spider's role in Ryuk attacks on U.S. healthcare and critical infrastructure, supported by indicators of compromise (IOCs) such as IP addresses and mutex names derived from seized malware samples. The group's Russian origins, centered around Saint Petersburg, were inferred from language in code comments, forum activity on Russian-speaking underground sites, and geolocation of C2 servers, though direct ties to state intelligence remain unproven beyond opportunistic alignments during geopolitical events. Challenges in attribution include the group's use of bulletproof hosting and virtual private servers to obfuscate origins, as well as rebranding to Conti, which complicated tracking but was resolved through persistent TTP analysis showing continuity in tools like AnchorDNS for lateral movement. Takedown efforts began with a coordinated disruption of infrastructure on October 6, 2020, when , , ' Black Lotus Labs, and NTT obtained U.S. court authorization to seize 37 domains and neutralize over 250 unique C2 servers, temporarily halting new infections and activations across six modules of the . This operation, involving global partners and preemptive legal actions under civil forfeiture laws, aimed to preempt surges ahead of the U.S. elections and reportedly delayed Ryuk deployments for weeks, though the group adapted by migrating to new infrastructure within months. Subsequent actions focused on sanctions rather than kinetic takedowns, given the actors' sanctuary in . In February 2023, the U.S. Treasury Department, coordinated with the , designated seven Russian nationals affiliated with Trickbot/Wizard Spider under Executive Order 13694 for malicious cyber activities, freezing assets and prohibiting U.S. dealings to disrupt financing of operations linked to Conti and Ryuk attacks since 2016. This was followed in September 2023 by sanctions on eleven additional Trickbot members, including developers of payloads, based on intelligence tying them to over $100 million in extorted funds and ties to Russian intelligence services. The added Trickbot-related entities to its cyber sanctions list in June 2024, targeting individuals involved in Wizard Spider's campaigns against EU . No public arrests of core members have occurred, attributable to jurisdictional barriers and lack of cooperation from .

Impact and Analysis

Economic and Operational Damages

Wizard Spider's ransomware operations, primarily via Conti and Ryuk strains deployed after compromises, have caused extensive economic losses through ransom demands, recovery expenditures, and productivity halts. In the May 2021 Conti attack on Ireland's (HSE), initial recovery cost estimates reached €580 million (approximately $600 million USD), encompassing IT infrastructure replacement, cybersecurity enhancements, and operational downtime. By early 2022, confirmed expenditures exceeded €52 million ($57 million USD), including €20 million for core IT systems and €16 million for external consulting and support. Later assessments pegged total costs at over €100 million ($110 million USD), with ongoing expenses for system upgrades and lost productivity. These economic burdens extend beyond ransoms—Conti affiliates reportedly extracted at least $180 million globally in payments by 2023, though victims' total damages, including forensic investigations and restoration, multiply this figure. Ryuk deployments, active since 2018, similarly targeted high-value entities, with early operations yielding over $3.7 million in ransoms from enterprise victims, but aggregate losses escalated due to encrypted volumes and extended outages. Operationally, Wizard Spider attacks have disrupted critical services, particularly in healthcare, where Conti variant struck more infrastructure targets than any other in . The HSE incident shut down nationwide IT systems for weeks, forcing manual operations, canceling elective procedures, postponing cancer screenings, and diverting emergency services, which compromised patient care continuity. Similar Conti incursions into U.S. healthcare and first-responder networks caused system-wide , halting electronic health records access and delaying treatments. Ryuk attacks, often following footholds, paralyzed hospital operations, as seen in compromises of managed service providers serving healthcare, leading to widespread service denials.

Strategic Implications for Cybersecurity

Wizard Spider's campaigns exemplify the professionalization of cybercrime through ransomware-as-a-service (RaaS) ecosystems, where initial access via malware like TrickBot or BazarLoader enables subsequent deployment of Conti or Ryuk ransomware against high-value targets, demanding defenders prioritize behavioral analytics and endpoint detection over static signatures to disrupt multi-stage attacks. Their routine exploitation of unpatched vulnerabilities, weak RDP credentials, and phishing vectors for lateral movement via SMB and PowerShell highlights the necessity of zero-trust architectures, including network segmentation, least-privilege access, and mandatory multi-factor authentication (MFA) to contain breaches before encryption or exfiltration occurs. The group's evolution to double-extortion tactics—stealing data for leak-site threats alongside encryption—amplifies recovery complexities, with Ryuk alone yielding over $61 million in ransoms by 2020, underscoring the strategic value of offline, immutable backups, prevention monitoring, and preemptive threat intelligence sharing to reduce dependency on payments that fund further operations. Targeting of , such as U.S. healthcare networks, further necessitates sector-specific resilience plans, including regular red-team exercises modeled on evaluations of Wizard Spider's techniques like credential dumping and defense evasion. Geopolitically, Wizard Spider's Russian origins and pledges of support for state actions—coupled with threats of retaliatory strikes against perceived adversaries—blur criminal and state-sponsored threats, complicating attribution and enforcement while emphasizing the need for public-private partnerships, on enablers, and adaptive policies like CISA's Known Exploited Vulnerabilities catalog to counter safe-haven dynamics in . This operational sophistication, evidenced by tool and Cobalt Strike usage, reinforces a broader shift toward continuous monitoring and automated response systems to outpace adversaries' rapid adaptations.

References

  1. https://www.crowdstrike.com/adversaries/wizard-spider/
  2. https://malpedia.caad.fkie.fraunhofer.de/actor/wizard_spider
  3. https://www.crowdstrike.com/en-us/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
  4. https://www.crowdstrike.com/en-us/blog/wizard-spider-adversary-update/
  5. https://www.hhs.gov/sites/default/files/trickbot-ryuk-and-the-hph-sector.pdf
  6. https://www.trmlabs.com/resources/blog/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider
  7. https://go.recordedfuture.com/hubfs/reports/cta-2023-0223.pdf
  8. https://www.wired.com/story/trickbot-trickleaks-bentley/
  9. https://www.blackfog.com/wizard-spider-russian-cybercrime-group/
  10. https://www.cisa.gov/sites/default/files/publications/TrickBot_Fact_Sheet_508.pdf
  11. https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot
  12. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Trickbot
  13. https://www.crowdstrike.com/en-us/cybersecurity-101/malware/trickbots/
  14. https://www.esentire.com/web-native-pages/threat-dissection-trickbot
  15. https://www.netsecurity.com/trickbot-malware-analysis/
  16. https://www.mandiant.com/resources/blog/the-cycle-of-adversary-pursuit
  17. https://www.microsoft.com/en-us/security/blog/2020/10/12/trickbot-disrupted/
  18. https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/
  19. https://redcanary.com/threat-detection-report/threats/trickbot/
  20. https://globalinitiative.net/analysis/conti-ransomware-group-cybercrime/
  21. https://www.ibm.com/think/x-force/trickbot-conti-crypters-where-are-they-now
  22. https://www.trmlabs.com/resources/blog/u-s-doj-treasury-and-u-k-authorities-take-action-against-russian-cybercriminal-group-trickbot
  23. https://www.spamhaus.org/resource-hub/malware/botnets-disrupted-worldwide-operation-endgame-is-back/
  24. https://cybergeist.io/profile/wizard-spider
  25. https://www.cisa.gov/news-events/alerts/2021/09/22/conti-ransomware
  26. https://unit42.paloaltonetworks.com/conti-ransomware-gang/
  27. https://us-cert.cisa.gov/ncas/alerts/aa20-302a
  28. https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
  29. https://www.crowdstrike.com/en-us/blog/timelining-grim-spiders-big-game-hunting-tactics/
  30. https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf
  31. https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
  32. https://thedfirreport.com/2020/10/08/ryuks-return/
  33. https://www.crowdstrike.com/en-us/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/
  34. https://attack.mitre.org/groups/G0102/
  35. https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
  36. https://www.hipaajournal.com/universal-health-services-ransomware-attack-cripples-it-systems-across-united-states/
  37. https://www.wired.com/story/universal-health-services-ransomware-attack/
  38. https://www.cloudflare.com/learning/security/ransomware/ryuk-ransomware/
  39. https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html
  40. https://www.wired.com/story/ransomware-hospitals-ryuk-trickbot/
  41. https://www.hhs.gov/sites/default/files/lessons-learned-hse-attack.pdf
  42. https://www.computerweekly.com/news/252500905/Conti-ransomware-syndicate-behind-attack-on-Irish-health-service
  43. https://www.paubox.com/blog/conti-ransomware-attack-irelands-healthcare-system-cost-100m
  44. https://www.akamai.com/glossary/what-is-conti-ransomware
  45. https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-ransomware-gang-conti
  46. https://www.computerweekly.com/news/252501665/Exagrid-pays-26m-to-Conti-ransomware-attackers
  47. https://www.itpro.co.uk/mobile/mobile-phones/360678/nokia-subsidiary-reveals-data-breach-following-conti-ransomware-raid
  48. https://www.esentire.com/security-advisories/conti-ransomware-gang-claims-50-new-victims-including-oil-terminal-operator-sea-invest
  49. https://www.group-ib.com/media-center/press-releases/conti-armada-report/
  50. https://www.cyberdefensemagazine.com/trickbot-spreads/
  51. https://www.crowdstrike.com/en-us/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/
  52. https://www.crowdstrike.com/en-us/blog/wizard-spider-lunar-spider-shared-proxy-module/
  53. https://www.ibm.com/think/x-force/itg23-crypters-cooperation-between-cybercriminal-groups
  54. https://www.cbsnews.com/news/ransomware-cybercrime-cartel-wizard-spider-viking-spider-lockbit-twisted-spider/
  55. https://www.bka.de/DE/IhreSicherheit/Fahndungen/Personen/BekanntePersonen/Endgame_2/KVN/Englisch.pdf
  56. https://home.treasury.gov/news/press-releases/jy1256
  57. https://www.secretservice.gov/investigations/mostwanted/kovalev
  58. https://home.treasury.gov/news/press-releases/jy1714
  59. https://www.justice.gov/archives/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware
  60. https://www.consilium.europa.eu/en/press/press-releases/2024/06/24/cyber-attacks-six-persons-added-to-eu-sanctions-list-for-malicious-cyber-activitiescyberattacks-against-eu-member-states-and-ukraine/
  61. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02019D0797-20240624
  62. https://sanctionsnews.bakermckenzie.com/us-and-uk-sanction-cyber-criminals-in-coordinated-action/
  63. https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/
  64. https://www.cybersecuritydive.com/news/ryuk-ransomware-mandiant-unc1878-sans-institute/593903/
  65. https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/
  66. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a
  67. https://krebsonsecurity.com/2023/02/u-s-u-k-sanction-7-men-tied-to-trickbot-hacking-group/
  68. https://www.eset.com/us/about/newsroom/research/eset-takes-part-in-global-operation-to-disrupt-trickbot-a-botnet-that-has-infected-over-a-million-c/
  69. https://www.cio.inc/irish-ransomware-attack-recovery-cost-estimate-600-million-a-16931
  70. https://www.bankinfosecurity.com/ransomware-attack-irelands-cleanup-costs-hit-48-million-a-18603
  71. https://heimdalsecurity.com/blog/hse-to-pay-a-huge-cost-after-major-2021-ransomware-attack/
  72. https://www.siliconrepublic.com/enterprise/conti-ransomware-gang-trickbot-sanctions-cyberattacks
  73. https://www.hhs.gov/sites/default/files/conti-ransomware-health-sector.pdf
  74. https://www.ic3.gov/CSA/2021/210521.pdf
  75. https://www.crowdstrike.com/en-us/blog/double-trouble-ransomware-data-leak-extortion-part-1/
  76. https://evals.mitre.org/enterprise/wizard-spider-sandworm
  77. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Add your contribution
Related Hubs
User Avatar
No comments yet.