Researchers have exposed the inner workings of Wizard Spider, a hacking group that pours its illicit proceeds back into the criminal enterprise.
On Wednesday, PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups.
According to the cybersecurity firm, Wizard Spider, likely Russian in origin, runs an infrastructure made up of a “complex set of sub-teams and groups, [..] has huge numbers of compromised devices at its command and employs a highly distributed professional workflow to maintain security and a high operational tempo.”
Today’s more sophisticated cybercriminal operations, whether purely for profit or working for state interests — as with many advanced persistent threat (APT) groups — often operate business-style models. This includes hiring top talent and creating a financial framework to deposit, transfer, and launder proceeds.
In Wizard Spider’s case, this also means pouring some of its profits back into development with investments in tools and software, and paying for new hires. The report suggests that the group commands “hundreds of millions of dollars in assets.”
“The group’s extraordinary profitability allows its leaders to invest in illicit research and development initiatives,” the researchers say. “Wizard Spider is fully capable of hiring specialist talent, building new digital infrastructure, and purchasing access to advanced exploits.”
PRODAFT says that Wizard Spider focuses on compromising enterprise networks and “has a significant presence in almost every developed country in the world, and many emerging economies as well.”
Victims have included defense contractors, enterprise firms, supply chain vendors, hospitals, and critical utility providers.
Wizard Spider’s attacks tend to start through spam and phishing using QBot and the SystemBC proxy. The group may also infiltrate businesses through compromised email threads between employees in Business Email Compromise (BEC) schemes.
Once there’s a crack in the door, the group will deploy Cobalt Strike and will attempt to grab domain administrator privileges. The Conti ransomware strain is deployed, machines and hypervisor servers are encrypted, and a ransomware demand is made.
Victims are managed through a locker control panel.
Wizard Spider also uses virtual private networks (VPNs) and proxies to hide their tracks. However, the group has also invested in some unusual tools, including VoIP systems and employees tasked with cold-calling individuals and scaring them into paying up after a security incident.
This is a tactic employed in the past by a handful of other ransomware groups including Sekhmet, Maze, and Ryuk. Coveware suspects that this kind of ‘call center’ work may be outsourced by cybercriminals, as the templates and scripts used are often “basically the same.”
Another tool of note is the Wizard Spider cracking station. This custom kit stores cracked hashes and runs crackers to try and secure domain credentials and other forms of common hashes. The station also updates the team on cracking status. As of now, there are 32 active users.
Several intrusion servers were also discovered containing a cache of tactics, techniques, exploits, cryptocurrency wallet information, and encrypted .ZIP files containing notes made and shared by attack teams.
“The Wizard Spider team has shown itself capable of monetizing multiple aspects of its operations,” PRODAFT says. “It is responsible for an enormous quantity of spam on hundreds of millions of devices, as well as concentrated data breaches and ransomware attacks on high-value targets.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0