Profile
Threat Intelligence

Ransomware profile: Wizard Spider / Conti

Edmée Vaudremer
Published 
Monday
 
29
 
August 2022
RSSLinkedIn
Part of our series of profiles on ransomware threat groups and ransomware variants

In this series of profiles, we provide the "need to know" information on prominent ransomware threat groups and variants. These quick reference guides summarise the key facts and figures, cover common targets and known associations, and dig into preferred tools and tactics.

Ransomware profile: Wizard Spider (MITRE profile of Wizard Spider, last updated 14 October 2021)

Ransomware application: Conti

Current main activity, product or service: Conti Ransomware-as-a-Service (RaaS)

Aliases: ITG23 (IBM X-Force Threat Intelligence Index 2022), Gold Blackburn (Secure Works profile), DEV-0193 (Microsoft, Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself, last updated July 2022)

Associated groups: TEMP.MixMaster, GRIM SPIDER, UNC1878 (MITRE profile of Wizard Spider)

Likely based in: Eastern Europe; Russia

Key statistics involving the Conti ransomware application:

  • 3% of the ransomware incidents observed by IBM's X-Force Incident Response in 2021 involved Conti (IBM X-Force Threat Intelligence Index 2022)
  • 15.5% of the ransomware incidents observed by Unit 42 in 2021 involved Conti (Unit 42 Incident Response Report 2022)
  • 1,000+ reported attacks as of February 28, 2022 (CISA Alert AA21-265A on Conti Ransomware, last updated 9 March 2022)

Early observations:

  • Wizard Spider first observed in 2016 (CrowdStrike Adversary Universe)
  • Conti ransomware was first seen distributed in December 2019 (Bleeping Computer, Conti ransomware shows signs of being Ryuk's successor, 9 July 2020)

Targets:

  • Opportunistic targeting in multiple sectors and geographies (Prodaft, Wizard Spider In-Depth Analysis, May 2022)
  • US healthcare and first responder networks (FBI, Conti Ransomware Attacks Impact Healthcare and First Responder Networks, 20 May 2021)

Ransom demands and payments:

  • $1.78m = average ransom demand on Unit 42 cases in 2021, ranging from $50k to $3m (Unit 42 Ransomware Threat Report 2022)
  • $110,000 = average ransom payment reported by Coveware for the month of June 2022 (Coveware profile on Conti)
  • At least $180m = total amount extorted by Wizard Spider using Conti in 2021 (Chainalysis Crypto Crime Report 2022, February 2022, page 39)
  • Wizard Spider was found to quickly lower their ransom demand when using Conti: "the price reductions offered were generally substantial, including 10, 24, 57 and 74 percent, and even higher" (Cisco Talos, Conti and Hive ransomware operations: leveraging victim chats for insights, May 2022, page 6)

Notable victim: Irish Health Service Executive and Department of Health in May 2021

Recent victim: Costa Rican government in April 2022 (Bleeping Computer, How Conti ransomware hacked and encrypted the Costa Rican government, 21 July 2022)

Malware variants commonly used (current):

  • Conti (MITRE Conti profile, last updated 16 April 2022)
  • Emotet (ESET, Hunting down Sandworm and Wizard Spider, 1 April 2022)
  • TrickBot family (MITRE TrickBot profile, last updated 1 October 2021)
  • Bumblebee (Google Threat Analysis Group, Exposing initial access broker with ties to Conti, 17 March 2022)
  • BazarLoader (Prodaft, Wizard Spider In-Depth Analysis, May 2022)

Malware variants commonly used (historical):

  • Dyre (MITRE Dyre profile, last updated 22 June 2022)
  • Ryuk (CrowdStrike, WIZARD SPIDER Update: Resilient, Reactive and Resolute, 16 October 2020)
  • Anchor (CrowdStrike, WIZARD SPIDER Update: Resilient, Reactive and Resolute, 16 October 2020)
  • Kegtap (Mandiant, Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser, 28 October 2020)

Observed ransom notes and file extensions:

  • Conti: CONTI_README.txt, .CONTI
  • Ryuk: RyukReadMe.txt, UNIQUE_ID_DO_NOT_REMOVE.txt, RyukReadMe.html, .RYK

Additional details:

  • Attack vectors include exposed Virtual Private Network credentials (Asceris Ransomware Response Team), and phishing emails that contain the Trickbot trojan (IBM X-Force Threat Intelligence Index 2022) and Cobalt Strike (CISA Alert AA21-265A on Conti Ransomware)
  • Cobalt Strike Beacon deployed on endpoints to execute the credential extraction tool Mimikatz (Asceris Ransomware Response Team) or dropped using Server Message Block (SMB) protocol on a domain controller for lateral movement (MITRE profile of Wizard Spider)
  • Anti-forensic techniques used to purge event logs of compromised endpoints (Asceris Ransomware Response Team)
  • A remote access tool, Net Support Manager Client, dropped for persistence to sell access to the environment to others (Asceris Ransomware Response Team)
  • Capable of targeting specific network drives and individual local IP addresses using command line arguments
  • Can be executed by a human or independently (VMWare, TAU Threat Discovery: Conti Ransomware, 8 July 2020)
  • May communicate with target using ProtonMail and single-use VoIP numbers
  • Public-facing infrastructure currently shut down, as of 4 August 2022 (DarkFeed, Twitter post, 22 June 2022)
  • US Department of State offering $15 million for information on Conti leaders (US Department of State, Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice, 6 May 2022)
  • Certain affiliates have access to a Linux variant of the ransomware, targeting ESXi systems (SecureList by Kaspersky, New ransomware trends in 2022, 11 May 2022)
  • Internal Conti chats and information were leaked by an allegedly Ukrainian member after Conti stated their support for Russia in the Ukraine conflict on February 25, 2022 (SecureList by Kaspersky, New ransomware trends in 2022, 11 May 2022)

MITRE ATT&CK: The following image shows the tools and techniques used alongside the Conti ransomware variant (Digi Cat, Reddit post on 23 August 2021)

Find out more

Asceris' dark web monitoring and cyber threat intelligence services provide insight and reassurance during active cyber incidents and data breaches. Our dark web monitoring solution automatically detects nefarious activity and exfiltrated content on the deep and dark web. Our threat intelligence analysts review, assess, and report actionable intelligence. We carry out open source research, threat group analysis, cryptocurrency tracing and investigations, and we support incident response teams and SOCs with our cyber threat investigations capability.

If you are the target of an active ransomware attack, please request emergency assistance immediately.

To find out more about any of our services, please contact us. To start a conversation or to report any errors or omissions, please feel free to contact the author directly.

Edmée Vaudremer
LinkedInenvelope by Bluetip Design from the Noun Project
Edmée is an incident response analyst at Asceris working on business email compromise cases, ransomware investigations, and tracking cyber threat groups and malware families. She previously assisted customers with personalising a leading anomaly detection tool to their environment. She has a background in terrorism research and analysis, and is a fluent French speaker.

About Asceris

Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.

Follow us on LinkedIn or subscribe to our RSS feed to make sure you don’t miss our next article.

Other recent insights