Wizard Spider is a Russia-based e-crime group originally known for the Trickbot banking malware.1 In August 2018, Wizard Spider added capabilities to their Trickbot software enabling the deployment of the Ryuk ransomware.2 3 This resulted in "big game hunting" campaigns, focused on targeting large organizations for high-ransom return rates. 4 Notable Ryuk attacks include the Universal Healthcare System Hospitals, US Georgia and Florida state government administrative offices, and Chinese companies. 5 6
According to the FBI, in less than one year (2019-2020) Wizard Spider extorted $61 million USD from ransomware attacks. 7 8 Throughout the operations, the group used a multi-staged approach to manage ransomware campaigns.9 Prior to encrypting a victim's network, the group exfiltrates sensitive data and threatens to publicly disclose it if the victim refuses to pay the ransom.
Associated Names: UNC1878, TEMP.MixMaster, Grim Spider, Team9
We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you and what we can do better.
Email: evals@mitre-engenuity.org
Twitter: https://twitter.com/MITREengenuity
LinkedIn: https://www.linkedin.com/company/mitre-engenuity/