Wizard Spider

Threat Actor updated a day ago (2024-11-20T18:13:44.665Z)

Download STIX

Preview STIX

Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a prominent cybercrime group. As per IBM Security X-Force's research, this threat actor is responsible for developing several crypters and has been expanding the number and variety of channels it uses to distribute its initial payloads. The group has been credited with creating the notorious and continuously evolving TrickBot malware, posing significant threats to users of the Netskope Security Cloud platform. In 2020, Wizard Spider paused the deployment of Ryuk ransomware from March until mid-September, but it is now running multiple ransomware operations. The group's intent behind using both Conti and Ryuk ransomware remains unclear. Furthermore, intelligence suggests that Wizard Spider shares infrastructure and malware services with other groups such as LUNAR SPIDER, ALPHV/BlackCat, and other Russian e-crime groups like Evil Corp and FIN7. The group faced sanctions in 2023 when seven members believed to be behind Ryuk, Conti, and Trickbot were penalized. Later that year, an additional 11 members were added to the Specially Designated Nationals (SDN) list in September. Despite these measures, Wizard Spider continues to pose a significant cybersecurity threat due to its financial motivations and its ties with other cybercriminal organizations.

Description last updated: 2024-11-15T16:06:49.326Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
TrickBot is a possible alias for Wizard Spider. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,	5
Trickbot Group is a possible alias for Wizard Spider. The Trickbot Group, also known as ITG23, Wizard Spider, or DEV-0193, is a cybercriminal entity notorious for its malicious activities. This threat actor group has been linked to Russian intelligence services and primarily targets non-Russian entities, including financial institutions and hospitals,	2
ITG23 is a possible alias for Wizard Spider. ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be	2
FIN12 is a possible alias for Wizard Spider. FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Ransomware

Cybercrime

Russia

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Conti Malware is associated with Wizard Spider. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	Unspecified	4
The Ryuk Malware is associated with Wizard Spider. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware inves	Unspecified	3

Source Document References

Information about the Wizard Spider Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Contagio	6 days ago	2024-10-30 Lunar Spider's Latrodectus JS loader samples
BankInfoSecurity	5 months ago	European Union Sanctions Russian State Hackers
CERT-EU	9 months ago	Authorities Claim LockBit Admin "LockBitSupp" Has Engaged with Law Enforcement \| #cybercrime \| #infosec \| National Cyber Security Consulting
MITRE	a year ago	Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
CERT-EU	a year ago	CyberTalk with Ray Canzanese
SecurityIntelligence.com	a year ago	ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
CERT-EU	a year ago	US sanctions Russian for cleaning Ryuk's and oligarchs' cash
CERT-EU	a year ago	Netskope Threat Labs report says highest percentage of cybercrime activity originates in Russia
CERT-EU	a year ago	Criminal groups focus on Australia and US
CERT-EU	a year ago	Malware increasingly spread through cloud apps
CERT-EU	a year ago	11 alleged Conti criminals hit with UK and US sanctions \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	US, UK sanction more Russians linked to Trickbot crime gang
MITRE	2 years ago	Exposing initial access broker with ties to Conti
MITRE	2 years ago	Wizard Spider Modifies and Expands Toolset [Adversary Update]
MITRE	2 years ago	Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem
MITRE	2 years ago	Diavol - A New Ransomware Used By Wizard Spider? \| Fortinet
MITRE	2 years ago	Diavol Ransomware
Recorded Future	2 years ago	Dark Covenant 2.0: Cybercrime, the Russian State, and War in Ukraine \| Recored Future
CERT-EU	2 years ago	Russian Hacker Pleads Guilty to Money Laundering Linked to Ryuk Ransomware
CERT-EU	2 years ago	US, UK sanctions members of 'notorious cyber gang' TrickBot