Wizard Spider profile: Suspected gang behind HSE attack is part of world’s first cyber-cartel

Health service attack regarded as a for-profit crime rather than any proxy attack by Russia

The Russian-speaking cybercrime gang, Wizard Spider, suspected of launching an attack on the HSE and Department of Health, is the biggest and most advanced gang in the world's first cyber-cartel. That cartel, made up of five Russian-speaking cyber gangs, was formed last year and dominates ransomware attacks across the globe.

At least some members of Wizard Spider are believed to be based in Russia, where their activities are tolerated by the state as long as they do not attack Russian targets. The code they use in their malware or ransomware is programmed to uninstall itself if it locks onto a Russian language system or any systems featuring internet protocol (IP) address in former Soviet states.

It is widely suspected across the international community that Russia tolerates Wizard Spider as long as they attack targets in the West. They are also suspected of working on behalf of Russian authorities, lending their infrastructure and expertise to carry out state-backed attacks on Russia’s enemies. However, the attack on the HSE is regarded as a for-profit crime intended to extract a ransom from the HSE, rather than any proxy attack by Russia on the Republic.

Wizard Spider has been known to attack healthcare facilities in the past but its attack on the Irish health system is regarded as unprecedented in its scale and because it has targeted a national healthcare system, which has never happened before. The size of the ransom demanded is also much larger than previous demands.

Ciaran Martin, the Northern Irishman who until recently lead Britain's National Cyber Security Centre (NCSC), said while healthcare facilities in the US and some in Europe had been targeted in ransomware attacks, he knew of no attack on the same scale as that on the HSE.

"The deliberate targeting of a State-run health care system is without parallel in my experience," he said. While the NHS had been hit by the WannaCry ransomware attack four years ago, it had been accidentally infected during an effort by North Korea to rob Asian banks rather than being the target.

Those members of Wizard Spider who are based in Russia rarely, if ever, leave that country for fear of being arrested. However, security sources said it was highly likely the people who make up Wizard Spider - who have never been identified - are also based in other countries, mainly Ukraine. The same sources said it was likely many members of the groups had never met and did not know each other, apart from on the Darknet.

Espionage Malware

Wizard Spider previously used Ryuk ransomware though, of late, has been using Conti, which is the ransomware deployed against the HSE. Uniquely among cybergangs, evidence has been found of ransoms from simultaneous Ryuk and Conti attacks being transferred into Bitcoin wallets controlled by Wizard Spider. This means the gang is conducting several attacks using different methods at the same time.

That is seen by the cyber-security industry as strong evidence that Wizard Spider is a much bigger than the other gangs in the Ransom Cartel, also known as the Maze Cartel, and is split into several teams. Wizard Spider is also unique in global cybercrime in another sense; evidence now beginning to emerge it is the first cyber-gang in the world to have espionage malware. The espionage malware it is using, Sido, seeks to capture information only, there is no financial component.

A report by US cybersecurity firm Analyst1 said the fact Wizard Spider is using Sido is highly unusual as "this type of tool is typically associated with nation-state attacks geared towards espionage".

The report continued: “Naturally, this raises many questions about why Wizard Spider uses it. As an analyst, you have to ask yourself: why would a ransomware gang need espionage malware?”

All of the groups in the Ransom Cartel, or Maze Cartel, that officially joined forces last summer - Twister Spider, Wizard Spider, Viking Spider, Lockbit gang, SunCrypt gang - engage in the same activities as those now underway against the HSE.

They break into a target’s computer systems with malicious software - malware or ransomware - and encrypt and copy files and other data. They then seek a ransom, to be paid in untraceable Bitcoin, in exchange for unlocking the files they have encrypted. If they are not paid they leak the data they have stolen, often personal or commercially sensitive information, on special ‘leak sites’.

Wall of shame

On its leak site, Wizard Spider issues press releases designed to humiliate the companies they have attacked and are trying to extort; using tactics to publicly embarrass them. This includes a “wall of shame” on which companies are nominated for the “hole of the month” or “clown of the month” and during which they are generally taunted with insults and name-calling.

Late last week Wizard Spider effectively abducted the digital assets of the HSE - by copying them and retaining the copies while also locking and encrypting the originals. They claim if they are paid $20 million in Bitcoin they will unlock the systems. But if they are not paid, they will not undo the encryption and will instead seek to exploit the data they have stolen. This means sharing it online in revenge for not receiving their ransom payment or selling it to other criminals. If personal, including patient, information is shared or sold, other criminals could use it to extort those people in Ireland whose data has been accessed.

Jon DiMaggio, chief security analyst at Analyst1, a US company specialising in cyber espionage and targeted attacks, published the report - "Ransom Mafia: Analysis of the world's first ransomware cartel" - which examined Wizard Spider and the other gangs in the cartel. He concluded Wizard Spider has been conducting ransomware attacks since 2016 and that last August it joined the Ransom Cartel.

“Beyond their experience alone, Wizard Spider has more tools, malware, and sophisticated capabilities than any other cartel gangs,” DiMaggio’s report says. He explained the Conti malware it used was able to “defeat defenses and encrypt victim data faster than any other variant” to date. It can identify if data is stored locally or shared over a network. And this means it can automatically focus on valuable data and “leave non-essential data on local systems alone”. Just three months ago it developed a “worm-like” capability to its methods and this “ensured Wizard Spider could access all victim systems, thereby maximising ransom encryption throughout the (targeted) environment”.

Mr DiMaggio’s report was prompted by a press release in June of last year from an Eastern European or Russian Twisted Spider gang. It claimed it had joined forces with four other groups, including Wizard Spider suspected in the HSE attack, and that collectively they were working together in a cartel.

DiMaggio’s report investigated the claim the gangs had formed a cartel. He did this by studying cryptocurrency transactions and the nature and volume of content on leak sites. He found the gangs were acting in unison, in sharing each other’s stolen data and negotiating with victims for each other.

The gangs were also “offering ransomware as a service (RaaS)”, which means “hiring hackers to execute attacks while providing them with malware, infrastructure, and ransom negotiation services”.

He added the attackers were “becoming bolder” and were now “conducting PR interviews with reporters, issuing press releases, and leveraging social media ads and call centers to harass and pressure victims into paying”. They were also “reinvesting profits made from ransom operations to advance both tactics and malware to increase their success and revenue”.