Uploaded by Ifeoma Nwawe

Research Paper - Wizard Spider

advertisement
Threat Actors: Wizard Spider and its relevance
to risk management
Ifeoma Nwawe
Concordia University of Edmonton
Edmonton, AB
inwawe@student.concordia.ab.ca
Abstract— This study looks at Wizard Spider as a
threat actor, investigates attack strategies, and draws
conclusions about the group's significance in risk
management.
Keywords— Wizard Spider, Trickbot, Ryuk, Conti, QBot,
SystemBC, malware, zero-day.
I. INTRODUCTION
The Canadian Center for Security defines a threat
actor as an organization or an individual with
malevolent intent who seeks to use the flaws in an
information system or its users to access victims'
data, devices, systems, and networks without their
consent or to negatively impact their validity. [1]
In the e-crime landscape, threat actors are constantly
specializing in their craft, they differ in terms of skill,
sophistication and capability. Among threat actor
groups there is also unprecedented cooperation to
leverage areas they are good at, this cooperation
allows them to scale their operations [2]. This
increased specialization allows them to develop new
malware variants and also results in a boost of
criminal enthusiasm.[3]
II. WIZARD SPIDER AND ITS IMPACT
Wizard Spider, is a Russian-linked crew that offers
ransomware as a service. The group is behind
malware like Trickbot, Ryuk and Conti. The group
that was first identified in 2017 runs a
multimillion-dollar organization and has a
corporate-like operating model. Its members are
scattered around Erbil, Kurdistan, Saint Petersburg
and Ukraine [2].
The group is extremely profitable and allows its
stakeholders to invest in research and development
activities for unlawful purposes. Wizard Spider
leverages specialization and collaboration by running
a complex network of teams that target specific
software types and has affiliations with miscreants
like Quakbot and Pinkslipbot.
Although Wizard Spider collaborates with other
threat actor groups, their preferred modus operandi is
full service. They manage the entire life cycle of a
cyber attack, from initial intrusion to encryption of
the victim organization’s data to hiring call-center
agents for in-person prospecting and harassment,
where needed they buy malicious codes, although the
group is working on building its hash-cracking
applications.
The majority of the attacks launched by Wizard
Spider begin with a massive spam campaign using
Qbot, SystemBC and business email communication
compromise with the main aim to deceive targets into
downloading and running the group’s malware on
their PCs. Another team painstakingly pinpoints
valuable targets that are capable of paying a ransom
then Cobalt Strike is deployed for lateral movement
activities. If the intrusion team is successful in
collecting domain admin privilege they immediately
deploy Conti’s ransomware.
The malware developed by Wizard Spider, especially
Conti, has gotten the attention of developed and
emerging economies. In May 2021, Conti launched
an attack on Ireland's Health Service Executive,
causing weeks of disruption and interference at the
country's hospitals. The country refused to pay the
$20 million ransom. It will cost the country $48
million to recover from this attack which will cover
IT infrastructure, outsourced cybersecurity assistance
and third-party vendor support [3]. The President of
Costa Rica, Rodrigo Chaves has declared the country
is at war with cybercriminals after a major attack on
27 government institutions. The group demanded a
ransom of $10 million and upped it to $20 million
after the delay in receiving the payment [4].
The US government has offered a reward of $15
million for information about the heads of the group
developing Conti and any individual using a variant
of the Conti ransomware [5].
III. HOW WIZARD SPIDER CARRIES OUT AN
ATTACK
In this section, the tools and techniques adopted by
Wizard Spider to carry out their attack will be
outlined.
The first stage of the attack starts with a mass-scale
spam campaign using malware QBot and System B,
then identifying valuable targets for ransom demands
and deploying the Cobalt Strike for lateral movement
activities.
A. Hypervisor Encryption Server
A sub-team at Wizard Spider targets the hypervisor
servers with the Conti ransomware strain. When the
data is exfiltrated from the victim’s servers, a special
locker software on their own Locker Software Server
is prepared and uploaded. The software encrypts the
data, and leaves a ransom note as is typical of Conti
ransomware attacks [6, p, 6].
Autolocker deployment: Access credentials
are acquired with SOCKS IPs, then locker malwares
are dropped directly on the victim's servers. The IP
addresses used automatically connect with Cobalt
Strike servers used by Wizard Spider. If there is
failure with the locker attack, the threat actors use the
same locker software to carry out other attacks
hoping for success [6, p, 6-8].
1)
2)
Conti Ransomware: The malware receives
arguments from the threat actor and checks for the
‘detach’ feature, the malware makes adjustments for
encryption. At the final stage, the ransomware
encrypts all files in the system and the file extensions
are changed to “.conti” [6, p, 9].
B. Post-exploitation Infrastructure
The scenarios above are only engaged after victims
have been thoroughly researched to check for
vulnerabilities and attempt zero-day exploitations
through intrusion servers containing processes,
connected server addresses, Bitcoin addresses and
sensitive data on their operations. Notes are kept and
distributed within teams in the form of encrypted ZIP
files [6, p, 12].
1)
Intrusion Servers: They carry Conti’s publicly
accessible locker files, victims statistics and an active
directory of their victims. Other tools discovered on
the servers are tools for network reconnaissance,
credential dumping, and data cloning amongst others
[6, p, 13].
2)
Exploitation Toolset: The team makes use of a
custom toolkit that exploits zero-day vulnerabilities
in their attacks [6, p, 14].
3)
Cracking Station: It stores cracked hashes,
updates threat actors on their cracking status and
shows the outcomes of cracking on other servers. The
stations feature elements like hash values, description
text reflecting the victim’s information, priority
value, a system that places victims in hierarchy based
on how valuable they are, status text, a results field
containing a decrypted version of the hash value [6,
p, 15].
4)
Cold-call systems: The team uses scare tactics
when cold-calling non-responsive victims with a
custom VoIP system. This system stores calls, assists
subteams on best methods to adopt when pressuring
victims. It also carries information like nomenclature
adopted by the threat actors in naming victims, a time
of attack, call status and a tracking number to track
victims [6, p, 17].
5)
Daily Cobalt strike beacons: These strike
beacons are generated for each team daily by making
use of different servers and domain names for each
sample they send out to avoid detection [6, p, 17].
C. Extortion Servers
After the victim’s data is stolen it is transferred to an
extortion server with a proxy network established
with a VPN before the ransomware is deployed.
Periodically, the extortion server transfers the
victim’s data to a backup server in Russia with a
26TB disk size [6, p, 19].
1)
Proxy Network: Victim extortion processes and
file transfers are done through a WebDAV service
that allows users to edit and manage files on remote
web servers [6, p, 19].
2) VPN Infrastructure: Internal and external traffic
is
managed
through
immense
Wireguard
configurations and VPN connections. The
configuration files are separated from the private
keys to avoid leaving a digital footprint. [6, p, 20].
3)
QBot Relation: PST files containing the
victim’s information are obtained from the extortion
servers and are used for phishing campaigns [6, p,
20].
4)
De-Anonymization: Operational accounts
are kept anonymous on an Excel spreadsheet using
OPSEC tactics like logging into accounts from
specific IP addresses and creating an anonymous
identity for each account [6, p, 21].
D. Author profiling and linguistic evidence
AUCH (Autorenprofile für die Untersuchung von
Cyberkriminalität CH), a preliminary stage deep
neural networks project supported by the Swiss
Innovation Agency was used to investigate the
language of the cybercriminals. The syntax, grammar
and choice of vocabulary when analyzed led to
possible connections to the Russian language [6, p.
24].
IV. MITIGATION STRATEGIES FOR BUSINESSES
Any attempt that makes it cumbersome to attack
contributes to a more secure cyberspace. With
128038 SystemBC victims scattered across Russia,
USA and other developed countries [6, p, 25], it is
important for businesses to adopt preventive and
detective strategies for these threat actors. The
mitigation solution should adopt a threat-informed
security strategy that detects threats like ransomware,
malware and phishing while also enjoying robust
detection and speedy response capabilities [7].
V. CONCLUSIONS
The level of the dangers associated with this
deadly actor offers business executives the
opportunity to understand the threat actors they are
working against and assess their readiness to combat
or prevent any attack that may be launched by these
wandering criminals, looking for enterprises to
devour. Given the sophistication of this group's
methods, it is fair to claim that an IT security
professional's fear of this threat actor is the
"beginning of wisdom”.
The group has made significant investments in
research and development, which indicates that they
anticipate high returns and are bullish on achieving
these returns on investment. They will continue to
create infrastructure and increase their capacity to
strike targets. Therefore, IT leaders must take
advantage of the information at their disposal to spot
early indicators of compromise that resemble Wizard
Spider's actions.
The group has demonstrated that they are
financially motivated and can monetize practically all
aspects of their activities, such as by charging
affiliates a subscription or pay-as-you-go fees to use
their cracking station. Wizard Spider is also patient
enough to test small-scale attacks in preparation for
large-scale assaults that target thousands of users.
The information provided about Wizard Spider
provides sufficient insight into how this organization
operates, their raison d’etre, and the strategies the
members use to distribute tasks. Given the group's
extensive network, financial resources and the
recency of their attacks, Wizard Spider is still a threat
to organizations and even countries.
REFERENCES
[1]
Canadian Centre for Cyber Security, “Definition of threat
actor” An introduction to cyber threat environment. 28
October, 2022. [Online].
Available:
https://cyber.gc.ca/en/guidance/introduction-cyber-threat-en
vironment. Accessed 17 November, 2022.
[2]
J. Burt, “ Meet Wizard Spider, the multimillion-dollar gang
behind Conti, Ryuk malware” 18 May 2022 [Online].
Available:
https://www.theregister.com/2022/05/18/wizard-spider-rans
omware-conti/. Accessed 15 November, 2022.
[3]
J. Greig, “Conti ransomware attack on Irish healthcare
system may cost over $100 million” 24 February, 2022
[Online].
Available:https://www.zdnet.com/article/cost-of-conti-ranso
mware-attack-on-irish-healthcare-system-may-reach-over-1
00-million/. Accessed 17 November, 2022.
[4]
J. Tidy, “ President Rodrigo Chaves says Costa Rica is at
war with Conti hackers” 18 May 2022. [Online]. Available:
https://www.bbc.com/news/technology-61323402. Accessed
17 November 2022.
[5]
J. Burt, “ US offers $15m reward for information about
Conti ransomware gang” 9 May, 2022. [Online]. Available:
https://www.theregister.com/2022/05/09/us-reward-conti-ra
nsomware/. Accessed 15 November, 2022.
[6]
PRODAFT, “Wizard Spider In-depth Analysis” 16 May,
2022. Pp. 6-25.
[7]
A. Radhakrishnan, “Wizard Spider and Sandworm
ATT&CK Evaluation Results: Data Encrypted For Impact”
31
March
2022.
[Online].
Available:
https://medium.com/mitre-engenuity/wizard-spider-and-san
dworm-att-ck-evaluation-results-data-encrypted-for-impact-t
1486-b4cf47a2d5ca. Accessed 22 November, 2022.
Download