# Intelligence Summary

# Adversary Overview 🪄 🕸️

Wizard Spider is a Russia-based e-crime group originally known for the Trickbot banking malware.¹ In August 2018, Wizard Spider added capabilities to their Trickbot software enabling the deployment of the Ryuk ransomware.^{2 3} This resulted in "big game hunting" campaigns, focused on targeting large organizations for high-ransom return rates. ⁴  Notable Ryuk attacks include the Universal Healthcare System Hospitals, US Georgia and Florida state government administrative offices, and Chinese companies. ^{5 6}

According to the FBI, in less than one year (2019-2020) Wizard Spider extorted $61 million USD from ransomware attacks. ^{7 8} Throughout the operations, the group used a multi-staged approach to manage ransomware campaigns.⁹ Prior to encrypting a victim's network, the group exfiltrates sensitive data and threatens to publicly disclose it if the victim refuses to pay the ransom.

Associated Names: UNC1878, TEMP.MixMaster, Grim Spider, Team9

# Group Overview Report References 🔗

# Connect with us 🗨️

We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you and what we can do better.

Email: evals@mitre-engenuity.org
Twitter: https://twitter.com/MITREengenuity
LinkedIn: https://www.linkedin.com/company/mitre-engenuity/