Background
Wizard Spider is one of the most prolific and sophisticated financially motivated cybercrime groups operating out of Russia. CrowdStrike first designated the group in 2018, identifying them as the operators of the TrickBot banking trojan ecosystem. The group has since evolved into a comprehensive cybercrime enterprise encompassing malware development, ransomware operations, and initial access brokerage services that underpin multiple ransomware operations.
Wizard Spider originated as the operators of Dyre, a sophisticated banking trojan, before law enforcement disrupted that operation in 2015. They regrouped and developed TrickBot, which became one of the most widespread malware platforms in cybercrime history, infecting millions of devices. The group later developed BazarLoader and BazarBackdoor as stealthier alternatives, and operated both the Ryuk and Conti ransomware enterprises, making Wizard Spider responsible for some of the most damaging ransomware attacks on record.
In 2022, the Conti operation publicly disbanded following an embarrassing internal leak (the "Conti Leaks") and reputational damage from its public support of Russia's invasion of Ukraine. However, key members dispersed and continued operations under new branding including BlackBasta, Black Basta, Royal, and other successor operations, indicating the group's continued operational capability. In 2023, the U.S. DOJ indicted multiple individuals identified as Wizard Spider members for ransomware attacks on critical infrastructure.
Notable Campaigns
TrickBot Banking Fraud (2016-2020): Wizard Spider deployed TrickBot as a banking trojan targeting financial institutions across North America, Europe, and Australia. The malware infected millions of systems and was used for banking credential theft, web injects, and payment fraud. Microsoft and partners disrupted TrickBot infrastructure in October 2020, but the group rebuilt rapidly.
Ryuk Ransomware Operations (2018-2021): Wizard Spider deployed Ryuk ransomware through TrickBot-compromised networks, extorting hospitals, municipalities, newspapers, and enterprises. Notable victims include Universal Health Services ($67M recovery cost), Düsseldorf University Hospital, and the City of Pensacola. Total Ryuk ransom payments exceeded $150 million.
Conti Ransomware Ecosystem (2020-2022): Wizard Spider operated Conti as a ransomware-as-a-service platform with dozens of affiliates. Conti attacked over 400 organizations globally, including the Irish Health Service Executive (HSE) in May 2021, forcing the shutdown of IT systems across 54 Irish hospitals. The Conti Leaks in February 2022 exposed the group's internal communications, organizational structure, and the identities of key members.
Costa Rica Government Attacks (2022): Conti launched an unprecedented campaign against Costa Rican government systems, ultimately forcing President Rodrigo Chaves to declare a national emergency — the first nation to do so in response to a ransomware attack. The attack affected 27 government institutions and disrupted critical public services for months.
Tactics, Techniques & Procedures
Wizard Spider's operations are distinguished by their scale, technical sophistication, and organizational structure. Initial access is achieved through high-volume TrickBot/BazarLoader distribution via phishing campaigns and malspam. The group operates a professional organization with distinct teams handling development, operations, network intrusion, and ransom negotiations.
Post-access operations follow a structured methodology: TrickBot or BazarLoader establishes persistence and conducts credential harvesting, followed by deployment of Cobalt Strike for interactive access. Operators then conduct systematic Active Directory reconnaissance using BloodHound, harvest domain administrator credentials, identify and enumerate backup infrastructure, and finally deploy Ryuk or Conti ransomware at scale.
The group demonstrates patience when targeting high-value organizations, spending weeks or months in networks before deploying ransomware to maximize pressure on victims with complex recovery needs.
Tools & Malware
- TrickBot: Modular banking trojan and botnet platform with credential theft, network scanning, lateral movement, and malware delivery capabilities. The group's primary distribution platform.
- BazarLoader / BazarBackdoor: Stealthier successor malware providing initial access and persistent C2 with heavy obfuscation to evade endpoint detection.
- Ryuk / Conti Ransomware: Enterprise-targeting ransomware payloads developed and operated by Wizard Spider.
- Cobalt Strike: Commercial adversary simulation tool heavily used for post- exploitation operations.
- Anchor: Custom malware used for persistent access to high-value targets separate from the TrickBot botnet.
- PowerTrick: PowerShell-based backdoor used for high-value target operations requiring stealth beyond TrickBot's profile.
Indicators & Detection
Wizard Spider's TrickBot infections can be detected through behavioral patterns including process injection into svchost.exe, network scanning activity, LDAP queries, and communication with TrickBot's modular C2 infrastructure. Block known TrickBot C2 server IP ranges at the network perimeter and implement DNS monitoring for TrickBot's domain patterns.
BazarLoader/BazarBackdoor detection should focus on signed binaries with mismatched digital signatures, process injection into legitimate Windows processes, and DNS-over-HTTPS (DoH) C2 communications. Monitor for BloodHound execution (SharpHound collector), bulk LDAP queries, and PsExec/WMI lateral movement at scale.
Pre-ransomware indicators include backup enumeration and deletion, GPO modification for mass deployment, and connection to Cobalt Strike team server infrastructure. Organizations in healthcare, government, and critical infrastructure should treat unresolved TrickBot or BazarLoader infections as imminent ransomware threats requiring emergency incident response.