Threat Actors: Wizard Spider and its relevance to risk management Ifeoma Nwawe Concordia University of Edmonton Edmonton, AB inwawe@student.concordia.ab.ca Abstract— This study looks at Wizard Spider as a threat actor, investigates attack strategies, and draws conclusions about the group's significance in risk management. Keywords— Wizard Spider, Trickbot, Ryuk, Conti, QBot, SystemBC, malware, zero-day. I. INTRODUCTION The Canadian Center for Security defines a threat actor as an organization or an individual with malevolent intent who seeks to use the flaws in an information system or its users to access victims' data, devices, systems, and networks without their consent or to negatively impact their validity. [1] In the e-crime landscape, threat actors are constantly specializing in their craft, they differ in terms of skill, sophistication and capability. Among threat actor groups there is also unprecedented cooperation to leverage areas they are good at, this cooperation allows them to scale their operations [2]. This increased specialization allows them to develop new malware variants and also results in a boost of criminal enthusiasm.[3] II. WIZARD SPIDER AND ITS IMPACT Wizard Spider, is a Russian-linked crew that offers ransomware as a service. The group is behind malware like Trickbot, Ryuk and Conti. The group that was first identified in 2017 runs a multimillion-dollar organization and has a corporate-like operating model. Its members are scattered around Erbil, Kurdistan, Saint Petersburg and Ukraine [2]. The group is extremely profitable and allows its stakeholders to invest in research and development activities for unlawful purposes. Wizard Spider leverages specialization and collaboration by running a complex network of teams that target specific software types and has affiliations with miscreants like Quakbot and Pinkslipbot. Although Wizard Spider collaborates with other threat actor groups, their preferred modus operandi is full service. They manage the entire life cycle of a cyber attack, from initial intrusion to encryption of the victim organization’s data to hiring call-center agents for in-person prospecting and harassment, where needed they buy malicious codes, although the group is working on building its hash-cracking applications. The majority of the attacks launched by Wizard Spider begin with a massive spam campaign using Qbot, SystemBC and business email communication compromise with the main aim to deceive targets into downloading and running the group’s malware on their PCs. Another team painstakingly pinpoints valuable targets that are capable of paying a ransom then Cobalt Strike is deployed for lateral movement activities. If the intrusion team is successful in collecting domain admin privilege they immediately deploy Conti’s ransomware. The malware developed by Wizard Spider, especially Conti, has gotten the attention of developed and emerging economies. In May 2021, Conti launched an attack on Ireland's Health Service Executive, causing weeks of disruption and interference at the country's hospitals. The country refused to pay the $20 million ransom. It will cost the country $48 million to recover from this attack which will cover IT infrastructure, outsourced cybersecurity assistance and third-party vendor support [3]. The President of Costa Rica, Rodrigo Chaves has declared the country is at war with cybercriminals after a major attack on 27 government institutions. The group demanded a ransom of $10 million and upped it to $20 million after the delay in receiving the payment [4]. The US government has offered a reward of $15 million for information about the heads of the group developing Conti and any individual using a variant of the Conti ransomware [5]. III. HOW WIZARD SPIDER CARRIES OUT AN ATTACK In this section, the tools and techniques adopted by Wizard Spider to carry out their attack will be outlined. The first stage of the attack starts with a mass-scale spam campaign using malware QBot and System B, then identifying valuable targets for ransom demands and deploying the Cobalt Strike for lateral movement activities. A. Hypervisor Encryption Server A sub-team at Wizard Spider targets the hypervisor servers with the Conti ransomware strain. When the data is exfiltrated from the victim’s servers, a special locker software on their own Locker Software Server is prepared and uploaded. The software encrypts the data, and leaves a ransom note as is typical of Conti ransomware attacks [6, p, 6]. Autolocker deployment: Access credentials are acquired with SOCKS IPs, then locker malwares are dropped directly on the victim's servers. The IP addresses used automatically connect with Cobalt Strike servers used by Wizard Spider. If there is failure with the locker attack, the threat actors use the same locker software to carry out other attacks hoping for success [6, p, 6-8]. 1) 2) Conti Ransomware: The malware receives arguments from the threat actor and checks for the ‘detach’ feature, the malware makes adjustments for encryption. At the final stage, the ransomware encrypts all files in the system and the file extensions are changed to “.conti” [6, p, 9]. B. Post-exploitation Infrastructure The scenarios above are only engaged after victims have been thoroughly researched to check for vulnerabilities and attempt zero-day exploitations through intrusion servers containing processes, connected server addresses, Bitcoin addresses and sensitive data on their operations. Notes are kept and distributed within teams in the form of encrypted ZIP files [6, p, 12]. 1) Intrusion Servers: They carry Conti’s publicly accessible locker files, victims statistics and an active directory of their victims. Other tools discovered on the servers are tools for network reconnaissance, credential dumping, and data cloning amongst others [6, p, 13]. 2) Exploitation Toolset: The team makes use of a custom toolkit that exploits zero-day vulnerabilities in their attacks [6, p, 14]. 3) Cracking Station: It stores cracked hashes, updates threat actors on their cracking status and shows the outcomes of cracking on other servers. The stations feature elements like hash values, description text reflecting the victim’s information, priority value, a system that places victims in hierarchy based on how valuable they are, status text, a results field containing a decrypted version of the hash value [6, p, 15]. 4) Cold-call systems: The team uses scare tactics when cold-calling non-responsive victims with a custom VoIP system. This system stores calls, assists subteams on best methods to adopt when pressuring victims. It also carries information like nomenclature adopted by the threat actors in naming victims, a time of attack, call status and a tracking number to track victims [6, p, 17]. 5) Daily Cobalt strike beacons: These strike beacons are generated for each team daily by making use of different servers and domain names for each sample they send out to avoid detection [6, p, 17]. C. Extortion Servers After the victim’s data is stolen it is transferred to an extortion server with a proxy network established with a VPN before the ransomware is deployed. Periodically, the extortion server transfers the victim’s data to a backup server in Russia with a 26TB disk size [6, p, 19]. 1) Proxy Network: Victim extortion processes and file transfers are done through a WebDAV service that allows users to edit and manage files on remote web servers [6, p, 19]. 2) VPN Infrastructure: Internal and external traffic is managed through immense Wireguard configurations and VPN connections. The configuration files are separated from the private keys to avoid leaving a digital footprint. [6, p, 20]. 3) QBot Relation: PST files containing the victim’s information are obtained from the extortion servers and are used for phishing campaigns [6, p, 20]. 4) De-Anonymization: Operational accounts are kept anonymous on an Excel spreadsheet using OPSEC tactics like logging into accounts from specific IP addresses and creating an anonymous identity for each account [6, p, 21]. D. Author profiling and linguistic evidence AUCH (Autorenprofile für die Untersuchung von Cyberkriminalität CH), a preliminary stage deep neural networks project supported by the Swiss Innovation Agency was used to investigate the language of the cybercriminals. The syntax, grammar and choice of vocabulary when analyzed led to possible connections to the Russian language [6, p. 24]. IV. MITIGATION STRATEGIES FOR BUSINESSES Any attempt that makes it cumbersome to attack contributes to a more secure cyberspace. With 128038 SystemBC victims scattered across Russia, USA and other developed countries [6, p, 25], it is important for businesses to adopt preventive and detective strategies for these threat actors. The mitigation solution should adopt a threat-informed security strategy that detects threats like ransomware, malware and phishing while also enjoying robust detection and speedy response capabilities [7]. V. CONCLUSIONS The level of the dangers associated with this deadly actor offers business executives the opportunity to understand the threat actors they are working against and assess their readiness to combat or prevent any attack that may be launched by these wandering criminals, looking for enterprises to devour. Given the sophistication of this group's methods, it is fair to claim that an IT security professional's fear of this threat actor is the "beginning of wisdom”. The group has made significant investments in research and development, which indicates that they anticipate high returns and are bullish on achieving these returns on investment. They will continue to create infrastructure and increase their capacity to strike targets. Therefore, IT leaders must take advantage of the information at their disposal to spot early indicators of compromise that resemble Wizard Spider's actions. The group has demonstrated that they are financially motivated and can monetize practically all aspects of their activities, such as by charging affiliates a subscription or pay-as-you-go fees to use their cracking station. Wizard Spider is also patient enough to test small-scale attacks in preparation for large-scale assaults that target thousands of users. The information provided about Wizard Spider provides sufficient insight into how this organization operates, their raison d’etre, and the strategies the members use to distribute tasks. Given the group's extensive network, financial resources and the recency of their attacks, Wizard Spider is still a threat to organizations and even countries. REFERENCES [1] Canadian Centre for Cyber Security, “Definition of threat actor” An introduction to cyber threat environment. 28 October, 2022. [Online]. Available: https://cyber.gc.ca/en/guidance/introduction-cyber-threat-en vironment. Accessed 17 November, 2022. [2] J. Burt, “ Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware” 18 May 2022 [Online]. Available: https://www.theregister.com/2022/05/18/wizard-spider-rans omware-conti/. Accessed 15 November, 2022. [3] J. Greig, “Conti ransomware attack on Irish healthcare system may cost over $100 million” 24 February, 2022 [Online]. Available:https://www.zdnet.com/article/cost-of-conti-ranso mware-attack-on-irish-healthcare-system-may-reach-over-1 00-million/. Accessed 17 November, 2022. [4] J. Tidy, “ President Rodrigo Chaves says Costa Rica is at war with Conti hackers” 18 May 2022. [Online]. Available: https://www.bbc.com/news/technology-61323402. Accessed 17 November 2022. [5] J. Burt, “ US offers $15m reward for information about Conti ransomware gang” 9 May, 2022. [Online]. Available: https://www.theregister.com/2022/05/09/us-reward-conti-ra nsomware/. Accessed 15 November, 2022. [6] PRODAFT, “Wizard Spider In-depth Analysis” 16 May, 2022. Pp. 6-25. [7] A. Radhakrishnan, “Wizard Spider and Sandworm ATT&CK Evaluation Results: Data Encrypted For Impact” 31 March 2022. [Online]. Available: https://medium.com/mitre-engenuity/wizard-spider-and-san dworm-att-ck-evaluation-results-data-encrypted-for-impact-t 1486-b4cf47a2d5ca. Accessed 22 November, 2022.
