Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest,
was a
cybercrime
Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or Computer network, networks. It has been variously defined as "a crime committed on a computer network, especially the Internet"; Cyberc ...
group based in and around
Saint Petersburg
Saint Petersburg, formerly known as Petrograd and later Leningrad, is the List of cities and towns in Russia by population, second-largest city in Russia after Moscow. It is situated on the Neva, River Neva, at the head of the Gulf of Finland ...
in
Russia
Russia, or the Russian Federation, is a country spanning Eastern Europe and North Asia. It is the list of countries and dependencies by area, largest country in the world, and extends across Time in Russia, eleven time zones, sharing Borders ...
.
Some members may be based in
Ukraine
Ukraine is a country in Eastern Europe. It is the List of European countries by area, second-largest country in Europe after Russia, which Russia–Ukraine border, borders it to the east and northeast. Ukraine also borders Belarus to the nor ...
.
[ They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.]Europol
Europol, officially the European Union Agency for Law Enforcement Cooperation, is the law enforcement agency of the European Union (EU). Established in 1998, it is based in The Hague, Netherlands, and serves as the central hub for coordinating c ...
, Interpol
The International Criminal Police Organization – INTERPOL (abbreviated as ICPO–INTERPOL), commonly known as Interpol ( , ; stylized in allcaps), is an international organization that facilitates worldwide police cooperation and crime cont ...
, FBI
The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and Federal law enforcement in the United States, its principal federal law enforcement ag ...
and also the National Crime Agency
The National Crime Agency (NCA) is a Law enforcement agency#natlea, national law enforcement agency in the United Kingdom. It is the UK's lead agency against organised crime; Human trafficking, human, Arms trafficking, weapon and Illegal drug t ...
in the United Kingdom
The United Kingdom of Great Britain and Northern Ireland, commonly known as the United Kingdom (UK) or Britain, is a country in Northwestern Europe, off the coast of European mainland, the continental mainland. It comprises England, Scotlan ...
.[
]
History
In 2018 the groups began using Trickbot, Ryuk and Conti
Conti is an Italian surname.
Geographical distribution
As of 2014, 63.5% of all known bearers of the surname ''Conti'' were residents of Italy (frequency 1:756), 11.8% of the United States (1:24,071), 9.2% of Brazil (1:17,439), 6.3% of Argentina ...
ransomware
Ransomware is a type of malware that Encryption, encrypts the victim's personal data until a ransom is paid. Difficult-to-trace Digital currency, digital currencies such as paysafecard or Bitcoin and other cryptocurrency, cryptocurrencies are com ...
as their primary tools.[
The group is also responsible for developing the espionage software Sidoh, which only gathers information and does not hold it to ransom.]Russian invasion of Ukraine
On 24 February 2022, , starting the largest and deadliest war in Europe since World War II, in a major escalation of the Russo-Ukrainian War, conflict between the two countries which began in 2014. The fighting has caused hundreds of thou ...
, causing internal group communications to be leaked by an anonymous persons in support of Ukraine.
The groups servers were eventually shut down in 2022.[
In February 2023 ]United States Secretary of State
The United States secretary of state (SecState) is a member of the executive branch of the federal government of the United States and the head of the U.S. Department of State.
The secretary of state serves as the principal advisor to the ...
Antony Blinken
Antony John Blinken (born April 16, 1962) is an American lawyer and diplomat who served as the 71st United States secretary of state from 2021 to 2025. He previously served as Deputy National Security Advisor, deputy national security advisor ...
announced that the United States and United Kingdom had sanctioned seven men for allegedly spreading Conti, Ryuk and Trickbot malware.[ Their names were Vitaliy Kovalev, Valery Sedletski, Valentin Karyagin, Maksim Mikhailov, Dmitry Pleshevskiy, Mikhail Iskritskiy and Ivan Vakhromeyev.][ Also, any foreign banks that knowingly provide significant services to those men could also be sanctioned.][
In September 2023 the USA and UK sanctioned another 11 men connected to Wizard Spider.][ Wizard Spider was lined to Russian intelligence by the American government.][ The men named were:
Other indictments were unsealed, including one in southern California against Maksim Galochkin, on three charges of hacking and deploying Conti on Scripps health hospitals.][
As of October 2024 it was disbanded.]
Modus operandi
A (often shortened to M.O. or MO) is an individual's habits of working, particularly in the context of business or criminal investigations, but also generally. It is a Latin phrase, approximately translated as .
Term
The term is often used in ...
PRODAFT wrote a technical report describing their attacks and organisation. Attacks usually begin by sending large amounts of spam
Spam most often refers to:
* Spam (food), a consumer brand product of canned processed pork of the Hormel Foods Corporation
* Spamming, unsolicited or undesired electronic messages
** Email spam, unsolicited, undesired, or illegal email messages
...
to targets in order to trick victims into downloading malware. They use Qbot and SystemBC malware, as well as writing their own. A separate team pinpoints valuable targets and uses Cobalt Strike to attack them. If they gain control of the system, they deploy ransomware.[
They are very security conscious and do not openly advertise on the ]darknet
A darknet or dark net is an overlay network within the Internet that can only be accessed with specific software, configurations, or authorization, and often uses a unique customized communication protocol. Two typical darknet types are social n ...
. They will only work with or sell access to criminals they trust. They are known to belittle their victims via a leak site.[ The leak site is also used to publish data they have stolen.][
Intelligence agencies say that the group does not attack targets in Russia, nor do key figures travel outside the country for fear of being arrested.][ ]The Irish Times
''The Irish Times'' is an Irish daily broadsheet newspaper and online digital publication. It was launched on 29 March 1859. The editor is Ruadhán Mac Cormaic. It is published every day except Sundays. ''The Irish Times'' is Ireland's leading n ...
reports Wizard Spider software is programmed to uninstall itself if it detects that the system uses the Russian language
Russian is an East Slavic languages, East Slavic language belonging to the Balto-Slavic languages, Balto-Slavic branch of the Indo-European languages, Indo-European language family. It is one of the four extant East Slavic languages, and is ...
or if the system has an IP address
An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...
in the former Soviet Union
The post-Soviet states, also referred to as the former Soviet Union or the former Soviet republics, are the independent sovereign states that emerged/re-emerged from the dissolution of the Soviet Union in 1991. Prior to their independence, they ...
.[ However, research by PRODAFT found the majority of SystemBC-infected machines to be within Russia (20.5%).][
]
Suspected attacks
They are suspected of being behind the Health Service Executive cyberattack in the Republic of Ireland
Ireland ( ), also known as the Republic of Ireland (), is a country in Northwestern Europe, north-western Europe consisting of 26 of the 32 Counties of Ireland, counties of the island of Ireland, with a population of about 5.4 million. ...
.[ It is the largest known attack against a health service computer system.][
Key figures are suspected of being involved with online attacks using Dyre software.][
]
Associates
Members of the group have been linked to UNC1878, TEMP.MixMaster, and Grim Spider.[
A research report by Jon DiMaggio suggests the group is part of a collections of criminals known as the Ransom Cartel or Maze Cartel.][ Other members include TWISTED SPIDER, VIKING SPIDER, ]LockBit
LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group (also called ransomware) enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not o ...
gang and SunCrypt gang.[ All use ransomware to extort money.][ SunCrypt have since retired.][
The PRODAFT report authors found that Wizard Spider sometimes backed up data to a server and that the server contained data from systems that had also been attacked by ]REvil
REvil (Ransomware Evil; also known as Sodinokibi) was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page ''Happy Blog'' unless the ra ...
, though the authors could not conclude which of the two groups had taken the data.[
]
References
External links
Wizard Spider Group In-Depth Analysis
- report by PRODAFT, 16 May 2022
{{Hacking in the 2020s
Cyberattack gangs
Hacking in the 2010s
Hacking in the 2020s
Russian advanced persistent threat groups
Criminal advanced persistent threat groups