Threat Actor Profile

Wizard Spider

Wizard Spider is a prolific Russia-linked cybercrime syndicate, active since at least 2016. Known for its connection to TrickBot and Conti ransomware operations, the group specializes in financially motivated cyberattacks, leveraging advanced malware, phishing campaigns, and double extortion ransomware tactics. Their operations impact critical sectors worldwide, reflecting their cartel-like structure and sophisticated methods.

Threat Actor Profile

Wizard Spider

Country of Origin

Wizard Spider is believed to operate out of Russia, supported by the group's persistent targeting of Western nations and the absence of evidence suggesting Russian entities as victims. However, concrete confirmation remains elusive due to the covert nature of its operations.

Members

The precise size of Wizard Spider is unknown, but it is believed to consist of a professional network of cybercriminals fulfilling specialized roles. Its cartel-like organizational structure indicates a well-coordinated operation, with affiliations to notable ransomware families such as TrickBot, Conti, Ryuk, and Diavol.

Leadership

Details regarding Wizard Spider's leadership remain unclear. While leaked internal communications suggest an organized hierarchy with distinct roles, including developers and negotiators, no specific individuals leading the group have been publicly identified.

Wizard Spider TTPs

Tactics

Wizard Spider predominantly engages in financially motivated attacks, carrying out high-profile Big-Game-Hunting (BGH) ransomware campaigns. They aim to maximize monetary gain, frequently targeting critical infrastructure and large enterprises.

Techniques

The group relies heavily on phishing campaigns with malicious attachments or links to gain initial access. They also deploy commodity loaders like TrickBot, BazarLoader, and compromised credentials. Once inside, they leverage tools like PowerShell, Cobalt Strike, and custom malware to move laterally and maintain persistence.

Procedures

Wizard Spider uses advanced procedures, including data exfiltration and double extortion tactics, where sensitive data is stolen prior to encryption and leveraged to pressure victims into paying ransom. They iterate quickly, adapting to circumvent detection measures and improve operational impact.

Want to Shut Down Threats Before They Start?

Indicators of Compromise (IoCs)

Loader/Beacon artifacts from TrickBot, BazarLoader, and BazarBackdoor.
Phishing emails with malicious ISO/ZIP attachments or weaponized LNK files.
Lateral movement indicators, including Cobalt Strike beacons, PsExec, and abnormal WMI/Remote Service activity.
Large-volume outbound transfers are indicative of data exfiltration.

Key Victims

Wizard Spider’s operations have targeted enterprises spanning critical infrastructure, government entities, MSPs, healthcare providers, and key industries worldwide. Victims have included hundreds of organizations, leaving significant operational and financial impacts.

Notable Cyberattacks

Conti Ransomware Campaigns (2019–2021)

These operations devastated numerous large companies, marking the height of Wizard Spider’s ransomware activity.

Healthcare Targeting

The group’s ransomware has disrupted patient care globally, including high-profile attacks during the COVID-19 pandemic.

Law Enforcement Exposure (2022)

Leaks and subsequent sanctions unveiled previously covert operations and inner workings, igniting global awareness.

Law Enforcement & Arrests

Law enforcement efforts in 2022–2023, including sanctions and indictments, have disrupted aspects of Wizard Spider’s operations. Despite these interventions, the group's activity persists, often through splinter entities or evolved attack techniques.

How to Defend Against Wizard Spider

Enforce MFA on all remote access points and administrative interfaces.

Harden remote services (RDP, VPN) and isolate internet-exposed systems.

Deploy EDR solutions to detect behavioral anomalies and living-off-the-land attacks.

Segment networks and minimize excessive access privileges.

Regularly back up data in secure, offline locations to prevent total loss in ransomware scenarios.

Huntress Managed EDRhelps identify and neutralize early-stage intrusions, such as phishing campaigns, business email compromise, and malicious loaders, strengthening defenses against sophisticated threats like Wizard Spider.

Try Huntress for Free

References

https://en.wikipedia.org/wiki/Wizard_Spider

https://attack.mitre.org/groups/G0102/

https://www.bugcrowd.com/glossary/wizard-spider/

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free