Based on open-source intelligence, the ATT&CK ® Evaluations team created the below scenario leveraging techniques seen from Wizard Spider in the wild. We have adapted the scenario based on tools and resources available at the time.

Wizard Spider is a Russia-based e-crime group originally known for the Trickbot banking malware.¹ In August 2018, Wizard Spider added capabilities to their Trickbot software enabling the deployment of the Ryuk ransomware.^{2 3} This resulted in "big game hunting" campaigns, focused on targeting large organizations for high-ransom return rates. ⁴  Notable Ryuk attacks include the Universal Healthcare System Hospitals, US Georgia and Florida state government administrative offices, and Chinese companies. ^{5 6}

According to the FBI, in less than one year (2019-2020) Wizard Spider extorted $61 million USD from ransomware attacks. ^{7 8} Throughout the operations, the group used a multi-staged approach to manage ransomware campaigns.⁹ Prior to encrypting a victim's network, the group exfiltrates sensitive data and threatens to publicly disclose it if the victim refuses to pay the ransom.

Associated Names: UNC1878, TEMP.MixMaster, Grim Spider, Team9

The Resources Folder contains the emulated software source code. Executables are provided in password protected zip files located in the specified software folder. The password is malware.

The Binaries.zip contains all executables in one zip file for easy download. The password is malware.

We provide a script to automatically decrypt these files:

$ cd wizard_spider

$ python3 Resources/utilities/crypt_executables.py -i ./ -p malware --decrypt

YARA rules are provided to assist the community in researching, preventing, and detecting malware specimens used in this emulation plan.

• Emotet

• TrickBot

• Ryuk

• Detection Scenario - Step by Step walkthrough of Scenario's procedures (10 steps).
• Protection Scenario - Step by Step walkthrough of Scenario's procedures (6 tests)

• Operation Flow - High-level summary of the scenario & infrastructure with diagrams.
• Intelligence Summary - General overview of the Adversary with links to reporting used throughout the scenario.

We would like to formally thank the people that contributed to the content, review, and format of this document. This includes the MITRE ATT&CK and MITRE ATT&CK Evaluations teams, the organizations and people that provided public intelligence and resources, as well as the following organizations that participated in the community cyber threat intelligence contribution process:

• Microsoft
• SentinelOne
• Trellix/McAfee
• Wojciech Lesicki, @WLesicki

We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you and what we can do better.

Email: evals@mitre-engenuity.org
Twitter: https://twitter.com/MITREengenuity
LinkedIn: https://www.linkedin.com/company/mitre-engenuity/

This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.

© 2022 MITRE Engenuity. Approved for Public Release. Document number AT0016.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This project makes use of ATT&CK®

ATT&CK Terms of Use