Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.
In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.
What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we’re told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).
In addition, Wizard Spider is full-service. It manages the entire lifecycle of a cyberattack – from the initial intrusion and encryption of data in the compromised organization, to hiring outside help for such jobs as cold-calling ransomware victims to scare them into paying up. If necessary, it buys whatever malicious code it needs, though it is also increasingly building its own tools, such as a hash-cracking application.
“The group’s extraordinary profitability allows its leaders to invest in illicit research and development initiatives,” the researchers at Prodaft wrote. “Wizard Spider is fully capable of hiring specialist talent, building new digital infrastructure, and purchasing access to advanced exploits.”
Wizard Spider, we’re told, is “capable of monetizing multiple aspects of its operations. It is responsible for an enormous quantity of spam on hundreds of millions of millions of devices, as well as concentrated data breaches and ransomware attacks on high-value targets.”
The malware developed by Wizard Spider – particularly Conti – has got the attention of government officials in the US and aboard. The Conti ransomware was used in an attack that almost shut down Ireland’s health care system and, more recently, trashed Costa Rican government agencies. The president of Costa Rica, Rodrigo Chaves, has said his country is at war with whoever is behind Coni.
The US government over the past year has issued several alerts about Conti, and earlier this month offered a reward of up to $15 million for information about key figures in the group developing Conti and individuals behind any attacks using a variant of the ransomware.
A wide web indeed
The group’s reach is wide, and it has been the subject of research by various cybersecurity teams. According to Prodaft, Wizard Spider controls thousands of client devices worldwide through a cluster of servers running SystemBC proxy malware. The researchers counted 128,036 SystemBC-infected boxes, most of them in Russia (20.5 percent) and the US (12.9 percent).
“While these two countries are by far the most popular targets, it’s worth pointing out that other major economies like China, India, and Brazil are also well represented,” the threat hunters wrote. “Wizard Spider has a significant presence in almost every developed country in the world, and many emerging economies as well.”
Most attacks launched by Wizard Spider start with a massive spam campaign using Qbot, SystemBC, and compromised business email, with the aim to trick marks into downloading and running some of the gang’s malware on their Windows PCs. After that “another team uses domain-based selection to pinpoint the valuable targets for their ransom demands and deploy Cobalt Strike for lateral movement activities,” they wrote. “If the intrusion team successfully obtains the domain admin privilege, they deploy Conti’s ransomware strain.”
A Wizard Spider sub-team, for example, specializes in infecting hypervisor servers, such as machines powered by VMware’s ESXi, with the Conti ransomware. Once data is exfiltrated from a victim’s boxen, the crooks upload malicious code that encrypts information and leaves a ransom note.
The group manages victims through a locker control panel. The researchers also found that the crew directly scanned for and exploited hundreds of VMware vCenter servers using the widespread Log4j vulnerability – dubbed Log4Shell – and several of the IP addresses used for scanning were also used for Cobalt Strike command-and-control (C2) servers in later attacks.
Spinning up the research arm
Wizard Spider also invested in developing its own technologies, including a custom toolkit for exploiting security flaws, including the Log4j hole and a custom voice-over-IP (VoIP) system used by the operators to call victims to demand ransoms are paid.
The cold-calling system stores reports of calls that sub-teams can use when further pressuring victims. The reports include everything from the unique name the extortionists give to their victims, the time of the ransomware attack, and a call status that uses “1” for a successful call and “0” for calls that are not successful or have yet to be made.
There also is a custom hash-cracking system that “stores cracked hashes, updates threat actors on the cracking status and shows the results of cracking attempts on other servers,” the threat hunters wrote. The software claims it can crack a broad array of common hash types, including LM:NTLM hashes, cached domain credentials, Kerberos 5 TGS-REP/AS-REP tickets, KeePass files, and those used for MS Office 2013 documents.
The hash-cracking management app is also used as a communication tool for tracking the crew’s work, indicating that it plays a central role in how Wizard Spider’s business operates. As of the time of the Prodaft report, there were 32 active users in the cracking suite.
The analysts were surprised to learn of a link between Wizard Spider and REvil, the ransomware group that put a wrecking ball through global meat supplier JBS and IT software maker Kaseya. Wizard Spider’s servers used for its extortion campaigns occasionally copy their data to a backup server in Russia that has a disk size of about 26TB. The Prodaft researchers found data in this backup storage that was stolen from some organizations that were also attacked by the REvil during the first quarter of 2021.
“It presents a worrying example of the collaboration between the ransomware gangs,” the cyberexperts wrote. “However, we do not have any further information to confirm whether the Wizard Spider team carried out these attacks or the stolen data transferred from REvil’s servers into backup storage.” ®