Wizard Spider

Threat Actor updated 23 days ago (2024-11-29T13:53:52.524Z)
Download STIX
Preview STIX
Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a prominent cybercrime group. As per IBM Security X-Force's research, this threat actor is responsible for developing several crypters and has been expanding the number and variety of channels it uses to distribute its initial payloads. The group has been credited with creating the notorious and continuously evolving TrickBot malware, posing significant threats to users of the Netskope Security Cloud platform. In 2020, Wizard Spider paused the deployment of Ryuk ransomware from March until mid-September, but it is now running multiple ransomware operations. The group's intent behind using both Conti and Ryuk ransomware remains unclear. Furthermore, intelligence suggests that Wizard Spider shares infrastructure and malware services with other groups such as LUNAR SPIDER, ALPHV/BlackCat, and other Russian e-crime groups like Evil Corp and FIN7. The group faced sanctions in 2023 when seven members believed to be behind Ryuk, Conti, and Trickbot were penalized. Later that year, an additional 11 members were added to the Specially Designated Nationals (SDN) list in September. Despite these measures, Wizard Spider continues to pose a significant cybersecurity threat due to its financial motivations and its ties with other cybercriminal organizations.
Description last updated: 2024-11-15T16:06:49.326Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
TrickBot is a possible alias for Wizard Spider. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,
5
Trickbot Group is a possible alias for Wizard Spider. The Trickbot Group, also known as ITG23, Wizard Spider, or DEV-0193, is a cybercriminal entity notorious for its malicious activities. This threat actor group has been linked to Russian intelligence services and primarily targets non-Russian entities, including financial institutions and hospitals,
2
ITG23 is a possible alias for Wizard Spider. ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
2
FIN12 is a possible alias for Wizard Spider. FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Cybercrime
Russia
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Conti Malware is associated with Wizard Spider. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personaUnspecified
4
The Ryuk Malware is associated with Wizard Spider. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
3
Source Document References
Information about the Wizard Spider Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Contagio
a month ago
BankInfoSecurity
6 months ago
CERT-EU
10 months ago
MITRE
a year ago
CERT-EU
a year ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
Recorded Future
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago