Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware

2022-05-18 21:01

In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

The malware developed by Wizard Spider - particularly Conti - has got the attention of government officials in the US and aboard.

According to Prodaft, Wizard Spider controls thousands of client devices worldwide through a cluster of servers running SystemBC proxy malware.

Most attacks launched by Wizard Spider start with a massive spam campaign using Qbot, SystemBC, and compromised business email, with the aim to trick marks into downloading and running some of the gang's malware on their Windows PCs. After that "Another team uses domain-based selection to pinpoint the valuable targets for their ransom demands and deploy Cobalt Strike for lateral movement activities," they wrote.

A Wizard Spider sub-team, for example, specializes in infecting hypervisor servers, such as machines powered by VMware's ESXi, with the Conti ransomware.

The analysts were surprised to learn of a link between Wizard Spider and REvil, the ransomware group that put a wrecking ball through global meat supplier JBS and IT software maker Kaseya.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/18/wizard-spider-ransomware-conti/

#conti #malware