cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json

{
    "type": "bundle",
    "id": "bundle--f8b9df8b-ef3a-4341-96e9-45929ffcb62c",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-22T05:44:27.289Z",
            "name": "Wizard Spider",
            "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)",
            "aliases": [
                "Wizard Spider",
                "UNC1878",
                "TEMP.MixMaster",
                "Grim Spider"
            ],
            "x_mitre_deprecated": false,
            "x_mitre_version": "2.1",
            "x_mitre_contributors": [
                "Edward Millington",
                "Oleksiy Gayda"
            ],
            "type": "intrusion-set",
            "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
            "created": "2020-05-12T18:15:29.396Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/groups/G0102",
                    "external_id": "G0102"
                },
                {
                    "source_name": "Grim Spider",
                    "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)"
                },
                {
                    "source_name": "UNC1878",
                    "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)"
                },
                {
                    "source_name": "TEMP.MixMaster",
                    "description": "(Citation: FireEye Ryuk and Trickbot January 2019)"
                },
                {
                    "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020",
                    "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.",
                    "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"
                },
                {
                    "source_name": "FireEye Ryuk and Trickbot January 2019",
                    "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.",
                    "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"
                },
                {
                    "source_name": "CrowdStrike Ryuk January 2019",
                    "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.",
                    "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
                },
                {
                    "source_name": "CrowdStrike Grim Spider May 2019",
                    "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.",
                    "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/"
                },
                {
                    "source_name": "FireEye KEGTAP SINGLEMALT October 2020",
                    "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.",
                    "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"
                },
                {
                    "source_name": "CrowdStrike Wizard Spider October 2020",
                    "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.",
                    "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_domains": [
                "enterprise-attack",
                "ics-attack"
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}