Researchers have exposed the inner workings of Wizard Spider, a hacking group that pours its illicit proceeds back into the criminal enterprise. On Wednesday, PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups. According to the cybersecurity firm, Wizard Spider, likely Russian in origin, runs an infrastructure made up of a “complex set of sub-teams and groups, [..] has huge numbers of compromised devices at its command and employs a highly distributed professional workflow to maintain security and a high operational tempo.” Wizard Spider also uses Virtual Private Networks (VPNs) and proxies to hide their tracks. However, the group has also invested in some unusual tools, including VoIP systems and employees tasked with cold-calling individuals and scaring them into paying up after a security incident. This is a tactic employed in the past by a handful of other ransomware groups, including Sekhmet, Maze, and Ryuk. Coveware suspects that this kind of ‘call center’ work may be outsourced by cybercriminals, as the templates and scripts used are often “basically the same.”
Analyst Notes
Ransomware threat actors often use other means to increase pressure on ransomware victims to pay ransom, such as exfiltrating proprietary data and using a double extortion scheme of threatening to leak the data on their website if the ransom is not paid, and in the case of Wizard Spider, using a call center to cold call victims and pressure them into paying. The double extortion method of leaking proprietary data is particularly problematic due to the harm it can cause an organization both in pragmatic terms and how much it can damage an organization’s reputation, so it is important to prevent ransomware incidents from occurring in the first place. Train employees to spot and report phishing emails, and to never enable macros on MS Office documents unless they are certain that there is a business need. Use mandatory multi-factor authentication for accounts used for remote access such as RDP or VPN services. Have good endpoint monitoring with an EDR solution and either a 24/7 internal SOC to triage the alerts, or a service like Binary Defense to triage them for you. If all else fails, it is important to have multiple backups, including offline backups, and an incident response plan to get back up and running quickly.
https://www.zdnet.com/article/wizard-spider-hacking-group-hires-cold-callers-to-scare-ransomware-victims-into-paying-up/
