Wizard Spider

Threat Actor updated 3 months ago (2024-06-24T19:17:47.491Z)
Download STIX
Preview STIX
Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a significant threat actor in the cybercrime landscape. This group has been continually analyzed by IBM Security X-Force researchers for its use of several crypters and is credited with creating the notorious, ever-evolving TrickBot malware. In March 2020, the group ceased deploying Ryuk ransomware until mid-September, and it is currently unclear how they intend to use both Conti and Ryuk. However, it's evident that Wizard Spider is now running multiple ransomware operations. In recent months, Wizard Spider has expanded the number and variety of channels used to distribute its key initial payloads. As a top group targeting users of the Netskope Security Cloud platform, it's a formidable adversary in the cybersecurity field. Wizard Spider's attacks were dominant during a certain period, operating under various aliases such as Grim Spider, UNC1878, and TEMP.MixMaster. While most financially motivated intrusions originated from Russia and Ukraine, the group's activities have highlighted China as a major geopolitical threat. Seven members of Wizard Spider, believed to be behind Ryuk, Conti, and Trickbot, were sanctioned earlier this year, and an additional eleven were added to the SDN in September. PRODAFT's analysis of the LockBit operation identified over 28 affiliates, some of whom share ties with other Russian e-crime groups like Evil Corp, FIN7, and Wizard Spider. Despite the sanctions and continuous tracking of their activities, the group remains active and continues to pose a substantial risk to global cybersecurity.
Description last updated: 2024-06-24T19:16:56.337Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
TrickBot
5
TrickBot is a notorious malware that has been used extensively by cybercriminals to exploit and damage computer systems. It operates as a crimeware-as-a-service platform, infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can stea
FIN12
2
FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware
Trickbot Group
2
The Trickbot Group, also known as ITG23, Wizard Spider, and DEV-0193, is a threat actor group notorious for its malicious activities. The group has been consistently analyzed by IBM Security X-Force researchers due to their development and use of several crypters. In the fall of 2020, efforts were m
ITG23
2
ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Cybercrime
Russia
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
ContiUnspecified
4
Conti is a notorious malware and ransomware operation that has caused significant damage to computer systems worldwide. The Conti group, believed to have around 200 employees, operated like a regular business, with internal communications revealing the organization's structure and operations. It was
RyukUnspecified
3
Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware inves
Source Document References
Information about the Wizard Spider Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
3 months ago
European Union Sanctions Russian State Hackers
CERT-EU
6 months ago
Authorities Claim LockBit Admin "LockBitSupp" Has Engaged with Law Enforcement | #cybercrime | #infosec | National Cyber Security Consulting
MITRE
9 months ago
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
CERT-EU
9 months ago
CyberTalk with Ray Canzanese
SecurityIntelligence.com
10 months ago
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
CERT-EU
10 months ago
US sanctions Russian for cleaning Ryuk's and oligarchs' cash
CERT-EU
a year ago
Netskope Threat Labs report says highest percentage of cybercrime activity originates in Russia
CERT-EU
a year ago
Criminal groups focus on Australia and US
CERT-EU
a year ago
Malware increasingly spread through cloud apps
CERT-EU
a year ago
11 alleged Conti criminals hit with UK and US sanctions | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
a year ago
US, UK sanction more Russians linked to Trickbot crime gang
MITRE
2 years ago
Exposing initial access broker with ties to Conti
MITRE
2 years ago
Wizard Spider Modifies and Expands Toolset [Adversary Update]
MITRE
2 years ago
Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem
MITRE
2 years ago
Diavol - A New Ransomware Used By Wizard Spider? | Fortinet
MITRE
2 years ago
Diavol Ransomware
Recorded Future
2 years ago
Dark Covenant 2.0: Cybercrime, the Russian State, and War in Ukraine | Recored Future
CERT-EU
2 years ago
Russian Hacker Pleads Guilty to Money Laundering Linked to Ryuk Ransomware
CERT-EU
2 years ago
US, UK sanctions members of 'notorious cyber gang' TrickBot
Krebs on Security
2 years ago
U.S., U.K. Sanction 7 Men Tied to Trickbot Hacking Group