Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Reports
Risk & Compliance
Technology & Solutions
Threat Landscape
Vulnerabilities

Prodaft report throws light on financially motivated Wizard Spider cybercrime group

May 20, 2022
Prodaft report throws light on financially motivated Wizard Spider cybercrime group

New research has been released by the Prodaft Threat Intelligence (PTI) team on the Russia-linked Wizard Spider cybercrime group, which has been identified to be behind high-profile malware variants including Ryuk, Trickbot, and Conti, among others. The financially motivated cybercrime group, initially identified in 2017, has since emerged as ‘one of the wealthiest groups currently in operation, with total assets easily in excess hundreds of millions of dollars.’

The PTI team has been collecting data on Wizard Spider’s operations since publishing its first report on the Conti ransomware last November. As a result, the team has discovered valuable new information about Wizard Spider and its relationship to other cybercrime groups and software producers. It also contains the technical analysis of Wizard Spider’s capabilities and its command structure, including a complex set of sub-teams divided into software-specific groups. 

Data also showed that the group’s extraordinary profitability allows its leaders to invest in illicit research and development initiatives, Prodaft said in its latest report. “Wizard Spider is fully capable of hiring specialist talent, building new digital infrastructure, and purchasing access to advanced exploits. It has also apparently invested in its own panel-hosting cracking application and hired telephone operators to cold-call victims and scare them into paying,” it added.

“The PTI team has been actively tracking the Wizard Spider group since releasing our first public report in November 2021,” according to the Prodaft report. “This prevented hundreds of ransomware attacks and notified more than 128000 victims that were targeted by the group. These victims include defense and aerospace companies, food producers, supply chain providers, hospitals, government agencies, and critical infrastructure providers. We obtained visibility into critical elements of the group’s infrastructure and collected vital data on its kill chain,” it added.

Wizard Spider can manage attacks from start to finish using its own distributed capabilities, assigning pre-attack preparations to certain teams and post-exploitation tasks to others.

The Prodaft report identified that Wizard Spider uses a cluster of ‘SystemBC’ servers to control thousands of client devices around the world. ‘If a victim appears to be a valuable target, threat actors will deploy Cobalt Strike or similar software to escalate privileges and move laterally through the network.” 

The report said that the PTI team identified more than 128036 SystemBC victims. “​​The SystemBC victim data shows Wizard Spider threat actors mostly targeted Russia 20.5% and the United States 12.9%. Although it is seen that threat actors statistically identify victims originating from Russia at a high rate, none of them are encountered in the Cracking or Encryption stages of the attack cycle,” it added. 

During the investigation, the PTI team discovered a unique system used by the Wizard Spider’s sub-team that targets the hypervisor servers such as VMWare ESXi with the Conti ransomware strain, the Prodaft report said. “After threat actors exfiltrate data from their victim’s servers, they prepare and upload a special locker software on their own Locker Software Server. This locker software directly targets hypervisor servers and encrypts them, leaving a ransom note on the desktop, in the characteristic style of a typical Conti ransomware attack,” it added.

Further investigation revealed that the attackers directly scanned and exploited hundreds of VMware vCenter servers with the Log4j vulnerabilities. Interestingly, several scanner IP addresses were also used as Cobalt Strike C2 servers in the subsequent attacks.

The report identified that the PTI team identified several intrusion servers belonging to Wizard Spider threat actors. “They contain tactics, techniques, and procedures of threat actors, purchased zero-day exploits, connected server addresses, Bitcoin addresses marked for payment, and various sensitive data on their operational environment. Threat actors kept notes to share between the teams in the form of encrypted ZIP files,” it added.

“During the investigation of Wizard Spider’s intrusion servers, the PTI team obtained visibility into multiple critical elements of the group’s infrastructure,” according to the report. “We obtained valuable information on tools, user manual files, and existing techniques, tactics, and procedures that threat actors use to test and attack victims’ systems,” it added.

The information detected on the intrusion servers has been correlated and confirmed with leak files published by Contileaks since Feb. 27, this year, the Prodaft report said. “These servers contain Conti’s locker files, Bazarloader samples, victim statistics, and Active Directory dumps of some companies published by Conti in their victim blogs. The PTI team also discovered tools and techniques that are actively used by Wizard Spider team members on the intrusion servers. Some of our findings can be verified using public ContiLeaks,” it added.

The Prodaft report said that the Wizard Spider team uses a custom toolkit that can exploit zero-day/one-day/n-day vulnerabilities in their attacks and public tools. “During the PTI team’s analysis of Wizard Spider’s intrusion servers, our analysts determined that the Wizard Spider team purchased and used zero-day exploits from other threat actors and used current and public vulnerabilities. This finding was corroborated with the information published by Contileaks as well. However, entire toolkit data can be shared with the researchers upon request,” it added.

“The victim’s stolen data is typically transferred to an extortion server (using rclone or similar data transfer tool) via a proxy network established using Wireguard VPN before deploying the ransomware,” the Prodaft report said. “We detected several storage servers containing the victim’s data during the PTI team’s investigation. Interestingly, we identified several folders belonging to the victims who agreed to pay the ransom. This finding is an excellent example that we should not trust ransomware operators,” the researchers added.

According to the report, the extortion servers periodically transfer their data to a backup server in Russia, which has a considerable disk size (~26TB). “One of the most striking findings is that some of the victims in the backup storage were attacked by the REvil ransomware gang around Q1/2021. It presents a worrying example of the collaboration between the ransomware gangs. However, we do not have any further information to confirm whether the Wizard Spider team carried out these attacks or the stolen data transferred from REvil’s servers into backup storage,” it added.

Lockbit, Conti and Pysa have been named as the top three ransomware gangs in 2021, according to data released in Group-IB’s ‘Ransomware Uncovered 2021/2022’ report. It also identified that ransom demands keep growing. “Since the publication of the Ransomware Uncovered 2020/2021 report, the average ransom amount increased by 45% to reach $247,000 in 2021, while the highest demand was $240,000,000 (compared to $30,000,000 in 2020),” the report added.

Last month, Prodaft released insights into the operations of the Pysa and Mespinoza ransomware groups, gathering the data by detecting and investigating systems used by the Pysa hackers. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights