PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups, on Wednesday.
Wizard Spider, likely to be Russian, runs an infrastructure made up of a “complex set of sub-teams and groups, has huge numbers of compromised devices at its command and employs a highly distributed professional workflow to maintain security and a high operational tempo,” according to the cybersecurity firm.
Today’s more sophisticated cybercriminal operations often operate business-style models , whether purely for profit or working for state interests . In addition, hiring top talent and creating a financial framework to deposit.
In Wizard Spider’s case, it also means investing some of its profits back into development with investments in tools and software, and paying for new hires. The report suggests that the group commands “hundreds of millions of dollars in assets.”
“The group’s extraordinary profitability allows its leaders to invest in illicit research and development initiatives,” the researchers say. “Wizard Spider is fully capable of hiring specialist talent, building new digital infrastructure, and purchasing access to advanced exploits.”
PRODAFT says that Wizard Spider focuses on compromising enterprise networks and “has a significant presence in almost every developed country in the world, and many emerging economies as well.”
Among the many victims includes defense contractors, enterprise firms, supply chain vendors, hospitals, and critical utility providers.
By using QBot and the SystemBC proxy, Wizard Spider’s attacks tend to start through spam and phishing. Compromised email threads between employees in Business Email Compromise (BEC) schemes is also one of the ways they infiltrate businesses.
Victims are managed through a locker control panel.
In the past, this was a tactic employed by a handful of other ransomware groups including Sekhmet, Maze, and Ryuk. Cybercriminal may outsource this kind of ‘call center’ as Coverware said. The templates and scripts used are often the same.
“The Wizard Spider team has shown itself capable of monetizing multiple aspects of its operations,” PRODAFT says. “It is responsible for an enormous quantity of spam on hundreds of millions of devices, as well as concentrated data breaches and ransomware attacks on high-value targets.”
0 Comments