Hackers, and cybercrime, in general, have come a long way. Today’s cybercriminals don’t just launch more sophisticated attacks; their operations also have business-style models. A perfect example of this is Wizard Spider, the hacking group behind Ryuk and Conti malware with millions of dollars in assets. And researchers from PRODAFT have exposed its inner workings.
In its newly published report, the cybersecurity firm unveils the gang’s command structure and assault capabilities. The deep look into the organization’s business model will offer security teams valuable and ‘unprecedented’ insight into Wizard Spider. That includes background, structure, motivations, tactics, and techniques.
Wizard Spider: A Well-Oiled Hacking Machine
After a 1-year investigation, the PRODAFT Threat Intelligence (PTI) released a detailed report about the inner workings of Wizard Spider. The discovery shows that the cyber gang has turned into a multi-million dollar empire. What’s even more impressive is that it operates in a corporate-like model, which proves that crime is just like any business and that criminals can also run a tight ship.
According to the Swiss firm, the Wizard Spider infrastructure comprises a complex set of sub-teams and groups and has many compromised devices. Moreover, it “employs a highly distributed professional workflow to maintain security and a high operational tempo.” Researchers also found that the hacking group has connections with other infamous threat actors, like REvil, Qbot, Grim Spider, and Lunar Spider.
Wizard Spider manages the entire attack cycle, starting from malware infection and data encryption to hiring outside help. Accordingly, PRODAFT uncovered cold-callers working for the group. Their job is to call ransomware victims and scare them into paying up. Furthermore, the hackers use VPNs to cover their tracks, and they strangely invested in VoIP services.
The findings also showed that the cybergang invests in developing new malware tools and hiring top talent. “The group’s extraordinary profitability allows its leaders to invest in illicit research and development initiatives,” researchers said.
Wizard Spider is fully capable of hiring specialist talent, building new digital infrastructure, and purchasing access to advanced exploits.PRODAFT
Conti and Russia Links
According to several reports, the Wizard Spider cybercrime group has Russian ties. The organization is behind Conti, whose members voiced their support to Moscow following its invasion of Ukraine. And the group has been wreaking havoc, with governments worldwide closely monitoring their activities.
Conti ransomware recently launched a destructive onslaught on Casta Rica’s government agencies. A total of 27 institutions were affected, including the ministry of finance. As a result, the tax collection system took the biggest blow, and citizens were forced to pay taxes by hand. It prompted the newly-elected President Rodrigo Chaves to say that his country was at war.
The US, Spain, and Israel rushed to help Costa Rica in protecting computer systems and repairing the damage. Also, Conti malware nearly took out Ireland’s healthcare system. Consequently, the US put out a $15 million reward for anyone with information about key figures inside the gang.