Cybercrime Group
Wizard Spider
Russia • Active since 2016
Wizard Spider is the gang behind TrickBot and Conti ransomware, which together have caused billions in damage. They operate like a business with departments for development, HR, and negotiations.
Overview
Wizard Spider is a Russian cybercriminal group that operates TrickBot malware and Conti/Ryuk ransomware. They run one of the largest and most sophisticated cybercriminal operations globally.
Also Known As
Gold Blackburn, TrickBot Gang, UNC1878
Target Industries
Healthcare, Government, Critical Infrastructure, Manufacturing, All Industries
Target Regions
Global, Excluding Russia/CIS
Is your business exposed?
Tactics, Techniques & Procedures
- • Phishing with malicious attachments
- • TrickBot initial access
- • Cobalt Strike beaconing
- • Active Directory enumeration
- • Ransomware deployment
Known Tools & Malware
TrickBot, Conti, Ryuk, BazarLoader, Anchor, Cobalt Strike
Notable Campaigns
Healthcare Sector Attacks (2020)
CISA advisory warning about imminent threat to US hospitals during COVID-19.
Conti Ransomware Operations (2020-2022)
Extensive ransomware operations earning hundreds of millions.
MITRE ATT&CK Techniques
T1566.001, T1204.002, T1059.001, T1486, T1078
Defense Recommendations
- 1.
Block TrickBot indicators at perimeter
- 2.
Implement healthcare-specific ransomware defenses
- 3.
Monitor for Cobalt Strike beacons
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required