Researchers have uncovered the inner workings of Wizard Spider, a hacking group that funnels its illicit proceeds back into the criminal enterprise.
On Wednesday, PRODAFT released the results of an investigation into Wizard Spider, which is believed to be either linked to or linked to the hacking groups Grim Spider and Lunar Spider.
According to the cybersecurity firm, Wizard Spider, likely of Russian origin, operates an infrastructure consisting of a “complex set of sub-teams and groups [..] has a large number of compromised devices and employs a highly distributed professional workflow to maintain security and a high pace of operations.”
Today’s more sophisticated cybercrime operations, whether purely for profit or serving state interests – like many Advanced Persistent Threat (APT) groups – often operate on business models. This includes hiring top talent and creating a financial framework for depositing, remitting and laundering proceeds.
In the case of Wizard Spider, this also means putting some of its profits back into development with investments in tools and software and paying for new hires. The report suggests the group has “hundreds of millions of dollars in assets.”
“The group’s exceptional profitability allows its executives to invest in illicit research and development initiatives,” say the researchers. “Wizard Spider is fully capable of hiring specialized talent, building new digital infrastructure and gaining access to advanced exploits.”
According to PRODAFT, Wizard Spider focuses on corporate network compromise and “has a significant presence in almost every developed country in the world and also in many emerging markets”.
Victims included defense contractors, corporations, supply chain providers, hospitals and key utilities.
Wizard Spider attacks typically begin via spam and phishing using QBot and the SystemBC proxy. The group can also infiltrate companies through compromised employee-to-worker email threads in BEC (Business Email Compromise) schemes.
Once there’s a crack in the door, the group uses Cobalt Strike and attempts to gain domain admin privileges. The Conti ransomware strain is deployed, machines and hypervisor servers are encrypted, and a ransomware request is made.
Victims are managed through a locker control panel.
Wizard Spider also uses virtual private networks (VPNs) and proxies to hide their tracks. However, the group has also invested in some unusual tools, including VoIP systems and staff tasked with cold calling people and intimidating them into paying after a security incident.
This is a tactic used by a handful of other ransomware groups in the past, including Sekhmet, Maze, and Ryuk. Coveware suspects that such “call center” work could be outsourced by cybercriminals because the templates and scripts used are often “basically the same”.
Another notable tool is the Wizard Spider Cracking Station. This custom kit stores cracked hashes and runs crackers to try to secure domain credentials and other forms of common hashes. The station also informs the team about the cracking status. As of now there are 32 active users.
Multiple intrusion servers were also discovered containing a cache of tactics, techniques, exploits, cryptocurrency wallet information and encrypted .ZIP files containing notes created and shared by attack teams.
“The Wizard Spider team has demonstrated their ability to monetize multiple aspects of their operations,” says PRODAFT. “It is responsible for massive amounts of spam across hundreds of millions of devices, as well as concentrated data breaches and ransomware attacks on high-value targets.”
Previous and related coverage
Do you have a tip? Get in touch securely via WhatsApp | Signal on +447713 025 499 or over at Keybase: charlie0