{ "type": "bundle", "id": "bundle--f8b9df8b-ef3a-4341-96e9-45929ffcb62c", "spec_version": "2.0", "objects": [ { "modified": "2023-03-22T05:44:27.289Z", "name": "Wizard Spider", "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider" ], "x_mitre_deprecated": false, "x_mitre_version": "2.1", "x_mitre_contributors": [ "Edward Millington", "Oleksiy Gayda" ], "type": "intrusion-set", "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", "created": "2020-05-12T18:15:29.396Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0102", "external_id": "G0102" }, { "source_name": "Grim Spider", "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)" }, { "source_name": "UNC1878", "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)" }, { "source_name": "TEMP.MixMaster", "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" }, { "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" }, { "source_name": "FireEye Ryuk and Trickbot January 2019", "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" }, { "source_name": "CrowdStrike Ryuk January 2019", "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" }, { "source_name": "CrowdStrike Grim Spider May 2019", "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" }, { "source_name": "FireEye KEGTAP SINGLEMALT October 2020", "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" }, { "source_name": "CrowdStrike Wizard Spider October 2020", "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] }