Dashboard / Threat Actors / GRIM SPIDER

🇷🇺

GRIM SPIDER

APT Group ETDA ✓

Also Known As 1 names

GOLD ULRICK

Target Countries 1

Countries highlighted in red

United States

Sectors Targeted

Newspaper Publishers 51111

Details

Origin 🇷🇺 RU

Last Updated 01 Jun 2022

MITRE ATT&CK 5

T1003 T1071.001 T1078 T1486 T1569.002

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 10 entries

Wizard Spider CrowdStrike

Grim Spider CrowdStrike

TEMP.MixMaster FireEye

Gold Blackburn SecureWorks

Gold Ulrick SecureWorks

ITG23 IBM

DEV-0193 Microsoft

Storm-0230 Microsoft

Periwinkle Tempest Microsoft

G0102 MITRE

Observed Target Countries 1

Based on ETDA data — countries highlighted in red

Worldwide

Description

Wizard Spider is reportedly associated with {{Lunar Spider}}. (Crowdstrike) The Wizard Spider threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which Grim Spider appears to be a subset. The Lunar Spider threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides Lunar Spider affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function. Dyre has been observed to be distributed by Cutwail (operated by {{Narwhal Spider}}), as well as their own botnets Gophe and Upatre. TrickBot has been observed to be distributed via Emotet (operated by {{Mummy Spider, TA542}}), BokBot (operated by {{Lunar Spider}}), Smoke Loader (operated by {{Smoky Spider}}), DanaBot (operated by {{Scully Spider, TA547}}), Kelihos (operated by {{Zombie Spider}}), Necurs (operated by {{Monty Spider}}) and Taurus Loader (operated by {{Venom Spider, Golden Chickens}}), as well as their own botnet Gophe.

Tools Used 20

AdFind Anchor BazarBackdoor BloodHound Cobalt Strike Conti Diavol Dyre Gophe Invoke-SMBAutoBrute LaZagne LightBot PowerSploit PowerTrick PsExec Ryuk SessionGopher TrickBot TrickMo Upatre

Operations 86

2019-04 Cybercriminals Spoof Major Accounting and Payroll Firms in Tax Season Malware Campaigns https://securityintelligence.com/cybercriminals-spoof-major-accounting-and-payroll-firms-in-tax-season-malware-campaigns/

2019-06 During June and July, F5 researchers first noticed Trickbot campaigns aimed at a smaller set of geographically oriented targets and did not use redirection attacks—a divergence from previous Trickbot characteristics. https://www.f5.com/labs/articles/threat-intelligence/tricky-trickbot-runs-campaigns-without-redirection

2019-08 In a recent analysis in our cybercrime research labs, we noticed changes in the deployment of the TrickBot Trojan. At the time, the change we observed only applied to infection attempts on Windows 10 64-bit operating systems (OSs). In those cases, TrickBot ran the payload, but did not save its typical modules and configurations to disk. https://securityintelligence.com/posts/the-curious-case-of-a-fileless-trickbot-infection/

2019-10 Computers at the DCH Regional Medical Center in Tuscaloosa, Fayette Medical Center and Northport Medical Center were infected with ransomware. https://www.bbc.com/news/technology-49905226

2019-10 Shipping giant Pitney Bowes hit by ransomware https://techcrunch.com/2019/10/14/pitney-bowes-ransomware-attack/

2019-11 Louisiana was hit by Ryuk, triggering another cyber-emergency https://arstechnica.com/information-technology/2019/11/louisiana-was-hit-by-ryuk-triggering-another-cyber-emergency/

2019-12 TrickBot Widens Infection Campaigns in Japan Ahead of Holiday Season https://securityintelligence.com/posts/trickbot-widens-infection-campaigns-in-japan-ahead-of-holiday-season/

2019-12 The Deadly Planeswalker: How The TrickBot Group United High-Tech Crimeware & APT https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/

2019-12 The cyberattack that took down public-access computers at Volusia County, Fla., libraries last month involved ransomware that has elicited millions of dollars in ransom payments from governments and large businesses. https://www.govtech.com/security/Ryuk-Ransomware-behind-Attack-on-Florida-Library-System.html

2019-12 New Orleans latest apparent victim of Ryuk ransomware https://statescoop.com/new-orleans-latest-apparent-victim-of-ryuk-ransomware/

2019-12 An infection with the Ryuk ransomware took down a maritime facility for more than 30 hours; the US Coast Guard said in a security bulletin it published before Christmas. https://www.zdnet.com/article/us-coast-guard-discloses-ryuk-ransomware-infection-at-maritime-facility/

2019-12 Suspected Ryuk ransomware attack locks down Adelaide's City of Onkaparinga council https://www.abc.net.au/news/2020-01-06/city-of-onkaparinga-hit-by-ryuk-ransomware/11843598

2020-01 On the heels of a Ryuk ransomware attack on the Tampa Bay Times, researchers reported a new variant of the Ryuk stealer being aimed at government, financial and law enforcement targets. https://www.scmagazine.com/home/security-news/tampa-bay-times-hit-by-ryuk-new-variant-of-stealer-aimed-at-govt-finance/

2020-01 Electronic Warfare Associates (EWA), a 40-year-old electronics company and a well-known US government contractor, has suffered a ransomware infection, ZDNet has learned. https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/

2020-01 Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/

2020-02 Ryuk Ransomware Campaign Targets Port Lavaca City Hall https://www.cisomag.com/ryuk-ransomware-campaign-targets-port-lavaca-city-hall/

2020-02 EMCOR Group, a US-based Fortune 500 company specialized in engineering and industrial construction services, disclosed last month a ransomware incident that took down some of its IT systems. https://www.zdnet.com/article/ryuk-ransomware-hits-fortune-500-company-emcor/

2020-02 Epiq Global, an international e-discovery and managed services company, has taken its systems offline globally after detecting unauthorized activity. https://www.lawsitesblog.com/2020/03/epiq-global-down-as-company-investigates-unauthorized-activity-on-systems.html

2020-03 Trickbot campaign targets Coronavirus fears in Italy https://news.sophos.com/en-us/2020/03/04/trickbot-campaign-targets-coronavirus-fears-in-italy/

2020-03 EVRAZ, one of the world's largest steel manufacturers and mining operations, has been hit by ransomware, a source inside the company told ZDNet today. https://www.zdnet.com/article/one-of-roman-abramovichs-companies-got-hit-by-ransomware/

2020-03 The City of Durham, North Carolina has shut down its network after suffering a cyberattack by the Ryuk Ransomware this weekend. https://www.bleepingcomputer.com/news/security/ryuk-ransomware-behind-durham-north-carolina-cyberattack/

2020-03 New Variant of TrickBot Being Spread by Word Document https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html

2020-03 New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong https://labs.bitdefender.com/2020/03/new-trickbot-module-bruteforces-rdp-connections-targets-select-telecommunication-services-in-us-and-hong-kong/

2020-03 TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/

2020-04 BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/

2020-04 TrickBot Campaigns Targeting Users via Department of Labor FMLA Spam https://securityintelligence.com/posts/trickbot-campaigns-targeting-users-via-department-of-labor-fmla-spam/

2020-04 As early as April 2020, TrickBot updated one of its propagation modules known as “mworm” to a new module called “nworm.” Infections caused through nworm leave no artifacts on an infected DC, and they disappear after a reboot or shutdown. https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/

2020-07 Collaboration between FIN7 and the RYUK group https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/

2020-07 The infamous TrickBot trojan has started to check the screen resolutions of victims to detect whether the malware is running in a virtual machine. https://www.bleepingcomputer.com/news/security/trickbot-malware-now-checks-screen-resolution-to-evade-analysis/

2020-07 Leading toy maker Mattel hit by ransomware https://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/

2020-08 University of Utah pays $457,000 to ransomware gang https://www.zdnet.com/article/university-of-utah-pays-457000-to-ransomware-gang/

2020-08 Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites https://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/

2020-09 US Court Hit by “Conti” Ransomware https://www.cbronline.com/news/conti-ransomware-court

2020-09 Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider, has reportedly shut down systems at healthcare facilities around the US after a cyber-attack that hit its network during early Sunday morning. https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/

2020-10 French IT giant Sopra Steria hit by Ryuk ransomware https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/

2020-10 Steelcase furniture giant hit by Ryuk ransomware attack https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/

2020-11 LightBot: TrickBot’s new reconnaissance malware for high-value targets https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/

2020-11 Online education giant K12 Inc. has paid a ransom after their systems were hit by Ryuk ransomware in the middle of November. https://www.bleepingcomputer.com/news/security/k12-online-schooling-giant-pays-ryuk-ransomware-to-stop-data-leak/

2021-01 FatFace sends controversial data breach email after ransomware attack https://www.bleepingcomputer.com/news/security/fatface-sends-controversial-data-breach-email-after-ransomware-attack/

2021-01 Scottish Environment Protection Agency refuses to pay ransomware crooks over 1.2GB of stolen data https://www.theregister.com/2021/01/18/scottish_environment_protection_agency_refuses_to_pay_ransom/

2021-02 Trickbot Rebirths Emotet: 140,000 Victims in 149 Countries in 10 Months https://blog.checkpoint.com/2021/12/08/trickbot-rebirths-emotet-140000-victims-in-149-countries-in-10-months/

2021-03 Ryuk ransomware hits 700 Spanish government labor agency offices https://www.bleepingcomputer.com/news/security/ryuk-ransomware-hits-700-spanish-government-labor-agency-offices/

2021-03 Ransomware gang wanted $40 million in Florida schools cyberattack https://www.bleepingcomputer.com/news/security/ransomware-gang-wanted-40-million-in-florida-schools-cyberattack/

2021-04 BazarLoader deploys a pair of novel spam vectors https://news.sophos.com/en-us/2021/04/15/bazarloader/

2021-05 Green Energy Company Volue Hit by Ransomware https://www.securityweek.com/green-energy-company-volue-hit-ransomware

2021-05 Conti ransomware also targeted Ireland's Department of Health https://www.bleepingcomputer.com/news/security/conti-ransomware-also-targeted-irelands-department-of-health/

2021-05 Ireland’s Health Services hit with $20 million ransomware demand https://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/ https://www.bleepingcomputer.com/news/security/conti-ransomware-gives-hse-ireland-free-decryptor-still-selling-data/

2021-05 New Zealand hospitals infected by ransomware, cancel some surgeries https://www.theregister.com/2021/05/19/new_zealand_hospitals_taken_down/

2021-05 Operation “BazaFlix” The threat actor created a robust fake movie streaming service called BravoMovies, complete with fake movie titles as a landing page. https://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service

2021-05 Exagrid pays $2.6m to Conti ransomware attackers https://www.computerweekly.com/news/252501665/Exagrid-pays-26m-to-Conti-ransomware-attackers

2021-06 City of Liege, Belgium hit by ransomware https://therecord.media/city-of-liege-belgium-hit-by-ransomware/

2021-06 Tulsa warns of data breach after Conti ransomware leaks police citations https://www.bleepingcomputer.com/news/security/tulsa-warns-of-data-breach-after-conti-ransomware-leaks-police-citations/

2021-06 Diavol - A New Ransomware Used By Wizard Spider? https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider

2021-08 Conti ransomware prioritizes revenue and cyberinsurance data theft https://www.bleepingcomputer.com/news/security/conti-ransomware-prioritizes-revenue-and-cyberinsurance-data-theft/

2021-08 Nokia subsidiary discloses data breach after Conti ransomware attack https://www.bleepingcomputer.com/news/security/nokia-subsidiary-discloses-data-breach-after-conti-ransomware-attack/

2021-09 JVCKenwood hit by Conti ransomware claiming theft of 1.5TB data https://www.bleepingcomputer.com/news/security/jvckenwood-hit-by-conti-ransomware-claiming-theft-of-15tb-data/

2021-10 Conti gang threatens to dump victim data if ransom negotiations leak to reporters https://therecord.media/conti-gang-threatens-to-dump-victim-data-if-ransom-negotiations-leak-to-reporters/

2021-10 Sandhills online machinery markets shut down by ransomware attack https://www.bleepingcomputer.com/news/security/sandhills-online-machinery-markets-shut-down-by-ransomware-attack/

2021-10 Conti Ransom Gang Starts Selling Access to Victims https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/

2021-11 Celebrity jewelry house Graff falls victim to ransomware https://blog.malwarebytes.com/ransomware/2021/11/celebrity-jewelry-house-graff-falls-victim-to-ransomware/

2021-11 Data breach impacts 80,000 South Australian govt employees [Frontier Software] https://www.bleepingcomputer.com/news/security/data-breach-impacts-80-000-south-australian-govt-employees/

2021-11 From Shathak Emails to the Conti Ransomware https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware https://www.bleepingcomputer.com/news/security/trickbot-teams-up-with-shatak-phishers-for-conti-ransomware-attacks/

2021-12 Nordic Choice Hotels hit by Conti ransomware, no ransom demand yet https://www.bleepingcomputer.com/news/security/nordic-choice-hotels-hit-by-conti-ransomware-no-ransom-demand-yet/

2021-12 Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/

2021-12 Australian Electricity Provider 'CS Energy' Hit by Ransomware https://www.securityweek.com/australian-electricity-provider-cs-energy-hit-ransomware

2021-12 McMenamins breweries hit by a Conti ransomware attack https://www.bleepingcomputer.com/news/security/mcmenamins-breweries-hit-by-a-conti-ransomware-attack/

2021-12 Shutterfly services disrupted by Conti ransomware attack https://www.bleepingcomputer.com/news/security/shutterfly-services-disrupted-by-conti-ransomware-attack/

2021-12 RR Donnelly has confirmed that threat actors stole data in a December cyberattack, confirmed by BleepingComputer to be a Conti ransomware attack. https://www.bleepingcomputer.com/news/security/marketing-giant-rrd-confirms-data-theft-in-conti-ransomware-attack/

2021-12 Indonesia's central bank confirms ransomware attack, Conti leaks data https://www.bleepingcomputer.com/news/security/indonesias-central-bank-confirms-ransomware-attack-conti-leaks-data/

2022-01 The Conti ransomware gang has been linked to an attack on Delta Electronics, a Taiwanese electronics manufacturing company and a major supplier of power components to companies like Apple and Tesla. https://therecord.media/conti-ransomware-hits-apple-tesla-supplier/

2022-01 KP Snacks giant hit by Conti ransomware, deliveries disrupted https://www.bleepingcomputer.com/news/security/kp-snacks-giant-hit-by-conti-ransomware-deliveries-disrupted/

2022-02 A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/

2022-02 The TrickBot Saga’s Finale Has Aired: Spinoff is Already in the Works https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works

2022-02 Something strange is going on with Trickbot https://intel471.com/blog/trickbot-2022-emotet-bazar-loader

2022-02 Trickbot Group’s AnchorDNS Backdoor Upgrades to AnchorMail https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/

2022-02 Panasonic: February ransomware attack only affected Canada branch https://therecord.media/panasonic-february-ransomware-attack-only-affected-canada-branch/

2022-03 Ransomware gang Conti has already bounced back from damage caused by chat leaks, experts say https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/

2022-03 Shutterfly discloses data breach after Conti ransomware attack https://www.bleepingcomputer.com/news/security/shutterfly-discloses-data-breach-after-conti-ransomware-attack/

2022-03 Ransomware Gang Leaks Files Stolen From Industrial Giant Parker Hannifin https://www.securityweek.com/ransomware-gang-leaks-files-stolen-industrial-giant-parker-hannifin

2022-03 Snap-on discloses data breach claimed by Conti ransomware gang https://www.bleepingcomputer.com/news/security/snap-on-discloses-data-breach-claimed-by-conti-ransomware-gang/

2022-04 The Parker-Hannifin Corporation announced a data breach exposing employees' personal information after the Conti ransomware gang began publishing allegedly stolen data last month. https://www.bleepingcomputer.com/news/security/engineering-firm-parker-discloses-data-breach-after-ransomware-attack/

2022-04 Wind turbine firm Nordex hit by Conti ransomware attack https://www.bleepingcomputer.com/news/security/wind-turbine-firm-nordex-hit-by-conti-ransomware-attack/

2022-04 Conti ransomware attack was aimed at destabilizing government transition, Costa Rican president says https://therecord.media/conti-ransomware-attack-was-aimed-at-destabilizing-government-transition-costa-rican-president-says/ https://therecord.media/ransomware-gang-threatens-to-overthrow-new-costa-rica-government-raises-demand-to-20-million/ https://therecord.media/son-of-conti/

2022-04 Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine/

2022-05 Conti ransomware claims to have hacked Peru MOF – Dirección General de Inteligencia (DIGIMIN) https://securityaffairs.co/wordpress/131093/cyber-crime/conti-ransomware-peru-direccion-general-de-inteligencia.html

2022-06 Conti ransomware group’s pulse stops, but did it fake its own death? https://blog.malwarebytes.com/ransomware/2022/06/conti-ransomware-disappears-did-it-fake-its-own-death/

Reports & References 14

https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/ https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/ https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ https://www.crowdstrike.com/blog/wizard-spider-adversary-update/ https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/ https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf https://www.group-ib.com/media/conti-armada-report/ https://intel471.com/blog/conti-break-up-contileaks-july-2022 https://flashpoint.io/blog/history-of-conti-ransomware/ https://www.deepinstinct.com/blog/an-inside-look-at-the-conti-group

ETDA Profile

Wizard Spider, Gold Blackburn

Origin

Russia

First Seen 2014

Motivation

Financial crime Financial gain

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0102/

View on ETDA APT Groups ↗