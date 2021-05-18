The Russian-speaking cybercrime gang, Wizard Spider, suspected of launching an attack on the HSE and the Department of Health, is the largest and most advanced gang in the world’s first cyber cartel. This cartel, made up of five Russian-speaking cyber gangs, was formed last year and dominates ransomware attacks across the globe.

At least some Wizard Spider members are believed to be based in Russia, where their activities are tolerated by the state as long as they do not attack Russian targets. The code they use in their malware or ransomware is programmed to uninstall itself if it logs on to a Russian-language system or any system that contains an Internet Protocol (IP) address in the former Soviet Union.

It is widely suspected throughout the international community that Russia tolerates Wizard Spider as long as they attack targets in the West. They are also suspected of working on behalf of the Russian authorities, lending their infrastructure and expertise to carry out state-backed attacks on Russia’s enemies. However, the attack on the HSE is considered a lucrative crime aimed at extracting a ransom from the HSE, rather than any Russian-mediated attack on the Republic.

Wizard Spider has been known to attack healthcare facilities in the past, but his attack on the Irish healthcare system is considered unprecedented in its scale and because it targeted a national healthcare system, which did not happen never before. The amount of reward required is also much larger than the previous requirements.

Ciaran Martin, the Northern Irishman who until recently led the Britains National Cyber ​​Security (NCSC), said while healthcare facilities in the US and some in Europe were targeted in ransomware attacks, he did not know of any attack to the same degree as that at HSE

Deliberate targeting of a state-run health care system is without parallel in my experience, he said. While the NHS was hit by the WannaCry ransomware attack four years ago, it was accidentally infected during an attempt by North Korea to rob Asian banks instead of being the target.

Those Wizard Spider members who are stationed in Russia rarely, or never before, leave that country for fear of arrest. However, security sources said that it is very likely that the people who make up the Wizard Spider – who have never been identified – are also located in other countries, mainly in Ukraine. The same sources said it is likely that many members of the groups had never met and did not know each other except in the Darknet.

Espionage malware

The Spider Wizard previously used Ryuk ransomware although, later, it used Conti, which is ransomware set against HSE. Uniquely among cybergangs, evidence has been found of rewards from simultaneous Ryuk and Conti attacks being transferred to Bitcoin wallets controlled by the Spider Wizard. This means that the gang is carrying out several attacks using different methods at the same time.

This is seen by the cybersecurity industry as a strong proof that the Spider Wizard is much larger than the other gangs in the Ransom Cartel, also known as the Maze Cartel, and is divided into several teams. The Spider Wizard is also unique in global cybercrime in another sense; the evidence that has now begun to emerge is the first cyber gang in the world to have espionage malware. The espionage malware I am using, however, seeks to capture only information, it has no financial component.

A report by US cybersecurity firm Analyst1 said that the fact that Wizard Spider is using Sido is extremely unusual as this type of tool is usually associated with nation-state espionage attacks.

The report continued: Obviously, this raises a lot of questions as to why the Spider Wizard uses it. As an analyst, you have to ask yourself: why would a ransomware gang need spyware malware?

All the groups in the Ransom Cartel, or Maze Cartel, that formally joined forces last summer – Twister Spider, Wizard Spider, Viking Spider, Lockbit gang, SunCrypt gang – are involved in the same activities as those now taking place against the HSE.

They infiltrate the target computer system with malicious software – malware or ransomware – and encrypt and copy files and other data. They then demand a ransom, to be paid in untraceable Bitcoin, in exchange for unlocking the files they have encrypted. If not paid, they leak data they have stolen, often personal or commercially sensitive information, to special leak sites.

Wall of shame

On its leak site, Wizard Spider releases press releases designed to humiliate companies they have attacked and are trying to extort; using tactics to publicly embarrass them. This includes a wall of shame over which companies have been nominated for the hole of the month or clown of the month and during which they generally scoff at insults and name calls.

Last week the Wizard Spider effectively hijacked HSE digital assets – copying them and storing copies while blocking and encrypting originals. They claim that if $ 20 million is paid in Bitcoin they will unlock the systems. But if they are not paid, they will not undo the encryption and will instead seek to exploit the data they have stolen. That means sharing it online as revenge for not paying the ransom or selling it to other criminals. If personal information, including the patient, is shared or sold, other criminals can use it to extort those people in Ireland whose data has been accessed.

Jon DiMaggio, chief security analyst at Analyst1, an American company specializing in cyber espionage and targeted attacks, published the report – Ransom Mafia: Analysis of the world’s first ransomware cartel – which examined the Wizard Spider and other gangs in the cartel. He concluded that Wizard Spider has been carrying out ransomware attacks since 2016 and that last August he joined the Ransom Cartel.

Beyond their experience alone, Wizard Spider has more sophisticated tools, malware and capabilities than any other cartel gang, says the DiMaggios report. He explained that the Conti malware he was using was able to defeat the defense and encrypt the victims’ data faster than any other variant so far. Can identify whether data is stored locally or shared on a network. And that means it can automatically focus on valid data and leave non-essential data only on local systems. Just three months ago she developed a worm-like ability for her methods and this ensured that the Spider Wizard could enter all victim systems, thus maximizing reward encryption throughout the (targeted) environment.

Mr DiMaggio’s report was prompted by a press release in June last year by a bunch of Eastern European or Russian Twisted Spiders. She claimed she had joined forces with four other groups, including the Wizard Spider suspected in the HSE attack, and that together they were working together on a cartel.

The DiMaggio report investigated the allegation that the gangs had formed a cartel. He did this by studying cryptocurrency transactions and the nature and volume of content on leak sites. He found that the gangs were operating in unison, sharing stolen data with each other and negotiating with the victims for each other.

The gangs were also offering ransomware as a service (RaaS), which means hiring hackers to execute attacks while providing them with malware, infrastructure and reward negotiation services.

He added that the attackers were getting bolder and were now conducting interviews with reporters, issuing press releases and using social media ads and call centers to harass and press victims to pay. They were also re-investing the profits made from reward operations to advance both tactics and malware to increase their success and revenue.