Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware

Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

In addition, Wizard Spider is full-service. It manages the entire lifecycle of a cyberattack – from the initial intrusion and encryption of data in the compromised organization, to hiring outside help for such jobs as cold-calling ransomware victims to scare them into paying up. If necessary, it buys whatever malicious code it needs, though it is also increasingly building its own tools, such as a hash-cracking application.

"The group's extraordinary profitability allows its leaders to invest in illicit research and development initiatives," the researchers at Prodaft wrote. "Wizard Spider is fully capable of hiring specialist talent, building new digital infrastructure, and purchasing access to advanced exploits."

Wizard Spider, we're told, is "capable of monetizing multiple aspects of its operations. It is responsible for an enormous quantity of spam on hundreds of millions of millions of devices, as well as concentrated data breaches and ransomware attacks on high-value targets."

The malware developed by Wizard Spider – particularly Conti – has got the attention of government officials in the US and aboard. The Conti ransomware was used in an attack that almost shut down Ireland's health care system and, more recently, trashed Costa Rican government agencies. The president of Costa Rica, Rodrigo Chaves, has said his country is at war with whoever is behind Coni.

The US government over the past year has issued several alerts about Conti, and earlier this month offered a reward of up to $15 million for information about key figures in the group developing Conti and individuals behind any attacks using a variant of the ransomware.

A wide web indeed

The group's reach is wide, and it has been the subject of research by various cybersecurity teams. According to Prodaft, Wizard Spider controls thousands of client devices worldwide through a cluster of servers running SystemBC proxy malware. The researchers counted 128,036 SystemBC-infected boxes, most of them in Russia (20.5 percent) and the US (12.9 percent).

"While these two countries are by far the most popular targets, it's worth pointing out that other major economies like China, India, and Brazil are also well represented," the threat hunters wrote. "Wizard Spider has a significant presence in almost every developed country in the world, and many emerging economies as well."

Most attacks launched by Wizard Spider start with a massive spam campaign using Qbot, SystemBC, and compromised business email, with the aim to trick marks into downloading and running some of the gang's malware on their Windows PCs. After that "another team uses domain-based selection to pinpoint the valuable targets for their ransom demands and deploy Cobalt Strike for lateral movement activities," they wrote. "If the intrusion team successfully obtains the domain admin privilege, they deploy Conti's ransomware strain."

A Wizard Spider sub-team, for example, specializes in infecting hypervisor servers, such as machines powered by VMware's ESXi, with the Conti ransomware. Once data is exfiltrated from a victim's boxen, the crooks upload malicious code that encrypts information and leaves a ransom note.

The group manages victims through a locker control panel. The researchers also found that the crew directly scanned for and exploited hundreds of VMware vCenter servers using the widespread Log4j vulnerability – dubbed Log4Shell – and several of the IP addresses used for scanning were also used for Cobalt Strike command-and-control (C2) servers in later attacks.

Spinning up the research arm

Wizard Spider also invested in developing its own technologies, including a custom toolkit for exploiting security flaws, including the Log4j hole and a custom voice-over-IP (VoIP) system used by the operators to call victims to demand ransoms are paid.

The cold-calling system stores reports of calls that sub-teams can use when further pressuring victims. The reports include everything from the unique name the extortionists give to their victims, the time of the ransomware attack, and a call status that uses "1" for a successful call and "0" for calls that are not successful or have yet to be made.

There also is a custom hash-cracking system that "stores cracked hashes, updates threat actors on the cracking status and shows the results of cracking attempts on other servers," the threat hunters wrote. The software claims it can crack a broad array of common hash types, including LM:NTLM hashes, cached domain credentials, Kerberos 5 TGS-REP/AS-REP tickets, KeePass files, and those used for MS Office 2013 documents.

The hash-cracking management app is also used as a communication tool for tracking the crew's work, indicating that it plays a central role in how Wizard Spider's business operates. As of the time of the Prodaft report, there were 32 active users in the cracking suite.

The analysts were surprised to learn of a link between Wizard Spider and REvil, the ransomware group that put a wrecking ball through global meat supplier JBS and IT software maker Kaseya. Wizard Spider's servers used for its extortion campaigns occasionally copy their data to a backup server in Russia that has a disk size of about 26TB. The Prodaft researchers found data in this backup storage that was stolen from some organizations that were also attacked by the REvil during the first quarter of 2021.

"It presents a worrying example of the collaboration between the ransomware gangs," the cyberexperts wrote. "However, we do not have any further information to confirm whether the Wizard Spider team carried out these attacks or the stolen data transferred from REvil's servers into backup storage." ®

Broader topics

Other stories you might like

  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Cyberattack shuts down unemployment, labor websites across the US
    Software maker GSI took systems offline, affecting thousands of people in as many as 40 states

    A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs.

    Labor departments and related agencies in at least nine states have been impacted. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.

    In a statement to media organizations, GSI President Paul Toomey said the Palm Harbor, Florida-based company "identified anomalous activity on our network," and took its services offline. Toomey didn't elaborate whether GSI was hit with ransomware or some other type of malware.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading

Biting the hand that feeds IT © 1998–2022