wizard-spider

Wizard Spider / TrickBot Group

also known as: ITG23 GOLD BLACKBURN FIN12 Periwinkle Tempest DEV-0193 UNC2053 TAAL G0102

The criminal enterprise that built modern big-game hunting ransomware. Starting with TrickBot as a banking trojan in 2016, Wizard Spider constructed a full-stack cybercrime operation: TrickBot for initial access and credential theft, Ryuk for high-ransom targeting, then Conti as a scaled RaaS, and Black Basta after Conti's 2022 collapse. The group operated at corporate scale — over 100 members at peak, organized hierarchically, with specialized teams for development, operations, and money laundering — before international law enforcement dismantled its core infrastructure and identified its leadership.

attributed origin Russia — St. Petersburg (confirmed)

suspected sponsor None formal — Russian state-tolerated

first observed 2016 (TrickBot launch)

primary motivation Financial — ransomware, credential theft, fraud

primary targets Healthcare, Government, Finance, Critical Infrastructure

known campaigns Hundreds confirmed

mitre att&ck group G0102

target regions Global — US, UK, Europe, Healthcare priority

threat level Critical

Overview

Wizard Spider is the Russia-based criminal syndicate responsible for deploying TrickBot, Ryuk, Conti, BazarLoader, and — through successor affiliates — Black Basta ransomware. Identified as the TrickBot Group by law enforcement agencies across the US, UK, Germany, and the EU, the organization represents the most consequential financially motivated cybercrime operation to emerge from the 2016–2022 period. At its operational peak, the group comprised over 100 members, organized with departmental structures covering malware development, botnet operations, ransomware deployment, and money laundering — functioning, in Prodaft's words, like a corporate enterprise.

The group launched TrickBot in 2016 as a banking trojan descended from the earlier Dyre malware, initially targeting financial institutions through webinjects for credential theft and wire fraud. By 2018, Wizard Spider — operating through a subgroup tracked as GRIM SPIDER — had pivoted to deploying Ryuk ransomware against high-value targets, pioneering what became known as big-game hunting: selecting organizations capable of paying ransoms in the millions rather than mass-distributing lower-ransom payloads. By late 2019, Conti replaced Ryuk as the group's primary ransomware vehicle, and was subsequently offered as a RaaS to affiliated criminal operators. TrickBot infections across more than one million systems worldwide served as the primary pipeline delivering access to enterprise networks that were subsequently ransomed.

The group's trajectory changed sharply in early 2022. Following Russia's invasion of Ukraine, Conti's leadership publicly pledged support for the Russian government — a political statement that prompted an insider to leak over 60 terabytes of internal data including source code, internal chat logs, and operational tools. The ContiLeaks and TrickLeaks disclosures exposed the group's internal structure, member identities, and infrastructure, accelerating Conti's shutdown by mid-2022. Core members dispersed into successor operations including Black Basta, Royal, BlackCat, Karakurt, LockBit, and Silent Ransom. Despite the collapse, the criminal ecosystem Wizard Spider built continues operating through these successor strains.

Law enforcement has maintained sustained pressure. The US and UK jointly sanctioned 18 members across two rounds of action in February and September 2023. The EU added Trickbot-related entities to its cyber sanctions list in June 2024. In May 2025, Germany's BKA — following Operation Endgame — publicly identified Vitaly Nikolaevich Kovalev, alias "Stern," as the group's founder and ringleader, issuing an Interpol Red Notice. Kovalev is believed to remain in Russia.

law enforcement update — may 2025

Germany's BKA publicly named Vitaly Nikolaevich Kovalev (alias "Stern," "Bentley," "Ben") as the founder of the Trickbot group following Operation Endgame. An Interpol Red Notice was issued. The BKA stated the group at times exceeded 100 members and operated in an organized, hierarchically structured, profit-oriented manner. Kovalev was previously sanctioned by the US and UK in February 2023 and faces a US indictment for conspiracy to commit bank fraud. He is believed to be in Russia. No arrest has been made.

Target Profile

Wizard Spider's target selection evolved from financial institutions (credential theft phase) to any large enterprise with sufficient assets to pay multi-million dollar ransoms (big-game hunting phase). Healthcare received particular attention — US healthcare organizations were explicitly targeted in CISA advisories, and several hospital systems suffered life-threatening operational disruptions.

Healthcare and public health: A sustained and documented priority. Conti and Ryuk attacks disrupted hospital operations across the US and Europe, locking staff out of clinical systems. The May 2021 attack on Scripps Health — one of the largest US healthcare providers — is specifically named in the DOJ indictment of Maksim Galochkin. Three Minnesota medical facilities were infected in 2020, requiring court orders to attempt forced removal from C2 servers.
Government and critical infrastructure: National and local government entities were targeted for high ransom potential and political disruption value. The group targeted Irish health services, US municipal governments, and entities across European critical infrastructure. Some attacks were timed to maximize operational impact.
Financial services: TrickBot's original focus. Banking webinjects were used for credential theft, account takeover, and wire fraud against financial institutions and their customers before the group pivoted to ransomware.
Major corporations and enterprise networks: Any large organization with network infrastructure, significant revenue, and sensitive data was a viable BGH target. The group used TrickBot botnet access as a discovery mechanism — infected systems were triaged by network value before ransomware deployment was authorized.
Manufacturing, logistics, and pharmaceutical: Post-Conti successor campaigns (2023–2025) continued targeting manufacturing and pharmaceutical companies through Black Basta and associated affiliates, using phishing, supply chain vulnerabilities, and misconfigured cloud services.

Tactics, Techniques & Procedures

Wizard Spider operated a full kill-chain spanning initial access through ransomware deployment. The TTP set is among the most extensively documented in cybersecurity research, with distinct phases corresponding to TrickBot infection, lateral movement, and ransomware staging.

mitre id	technique	description
T1566.001	Spear-Phishing Attachment	Primary initial access vector across TrickBot campaigns. Malicious Office documents with macros, password-protected archives, and HTML smuggling techniques delivered TrickBot loaders to enterprise targets. Emotet (operated by MUMMY SPIDER) frequently distributed TrickBot to its infected host base, providing Wizard Spider with massive scale.
T1055	Process Injection	TrickBot injected modules into legitimate Windows processes (svchost.exe) to evade detection. The modular framework loaded banking webinjects, credential stealers, network reconnaissance modules, and lateral movement components from C2 infrastructure on demand.
T1078	Valid Accounts	Stealer modules targeted stored browser credentials, email client credentials, Windows credential stores, and Active Directory. Mass credential collection enabled lateral movement and, critically, access to domain controllers required for ransomware deployment at domain scale.
T1021.002	SMB / Windows Admin Shares	TrickBot's shareDll lateral movement module spread across network shares to additional hosts. Combined with harvested domain credentials, this enabled rapid movement through enterprise networks from the initial beachhead to high-value systems including backup servers and domain controllers.
T1059.001	PowerShell	Extensively used across all phases. BazarLoader and Anchor framework communicated over DNS and HTTP using PowerShell execution. Conti ransomware deployment scripts used PowerShell to orchestrate mass deployment via PsExec across AD-joined machines.
T1486	Data Encrypted for Impact (Ransomware)	Ryuk targeted large organizations with ransoms routinely exceeding $5 million, achieving sub-two-hour full-network encryption in documented cases ("Ryuk Speed Run"). Conti used asynchronous I/O for faster file encryption queuing and deployed across AD environments via PsExec or Group Policy. Ransom notes directed victims to negotiation portals.
T1484.001	Group Policy Modification	After acquiring Domain Admin credentials, Wizard Spider modified Group Policy Objects to distribute ransomware binaries and execution scripts to all domain-joined machines simultaneously — enabling near-instantaneous enterprise-wide encryption and eliminating the need to reach each machine individually via PsExec.
T1071.004	DNS Application Layer Protocol	BazarLoader and the Anchor_DNS framework variant communicated with C2 infrastructure via DNS, blending malicious traffic with legitimate DNS queries to evade network detection. This approach was particularly effective in enterprises where outbound DNS is less scrutinized than HTTP/HTTPS.
T1490	Inhibit System Recovery	Prior to ransomware deployment, Ryuk and Conti deleted Windows Volume Shadow Copies (vssadmin delete shadows /all) and disabled backup services to prevent recovery without paying the ransom. Backup systems were specifically targeted for encryption to maximize recovery impact.
T1560	Archive Collected Data / Double Extortion	Conti introduced structured data exfiltration before encryption, threatening public release on a dedicated Conti News leak site if ransom was not paid. This double extortion model became the industry standard for RaaS operations and is continued by Black Basta and other successor groups.

Known Campaigns

Wizard Spider's operational history is one of the most extensively documented in cybersecurity research, spanning from targeted wire fraud through mass ransomware deployment.

TrickBot Banking Fraud Operations 2016–2018

Wizard Spider launched TrickBot — descended from the Dyre banking trojan — as a modular credential-theft and fraud platform targeting financial institutions. Webinject modules intercepted banking sessions and facilitated unauthorized wire transfers. The botnet grew to infect millions of systems globally, with group tags assigned to track different campaign configurations. The modular architecture allowed on-demand deployment of additional capabilities including network propagation, credential dumping, and eventually ransomware staging.

Ryuk Big-Game Hunting 2018–2020

GRIM SPIDER — a Wizard Spider subgroup — began deploying Ryuk ransomware against specifically selected high-value organizations in August 2018, establishing the big-game hunting model that defines modern ransomware. TrickBot infections provided the initial network access; human operators triaged compromised networks for revenue potential before authorizing ransomware deployment. Documented ransom demands routinely exceeded $5 million. Healthcare organizations were a specific priority: hospital systems in Minnesota, the UK, and across Europe were disrupted. CrowdStrike documented a "Ryuk Speed Run" case achieving full network encryption in two hours from initial access.

US Election Infrastructure Threat — TrickBot Disruption 2020

Concern about potential ransomware attacks against US election infrastructure in the lead-up to the November 2020 election prompted a joint US Cyber Command and multi-vendor operation against TrickBot's C2 infrastructure in September and October 2020. Non-standard configuration files were pushed to infected hosts to isolate them from the botnet. CrowdStrike documented approximately 10,000 unique downloads of the disruption configuration. Despite the operation, TrickBot activity returned to normal pace within weeks, demonstrating the botnet's resilience and Wizard Spider's ability to rebuild rapidly.

Conti RaaS — Mass Enterprise Targeting 2020–2022

Conti replaced Ryuk as Wizard Spider's primary ransomware by late 2019 and was scaled into a full Ransomware-as-a-Service model with affiliates who received a share of ransom proceeds. Conti introduced structured double extortion — exfiltrating data before encryption and threatening publication on a dedicated leak site. Attacks targeted healthcare, government, and enterprise organizations globally. The Irish Health Service Executive (HSE) attack in May 2021 is among the most consequential: it forced the suspension of IT systems across Ireland's national health network, disrupting patient care for weeks. Conti's 2022 internal data leak — triggered by the group's public pro-Russia statement — exposed source code, affiliate structures, and negotiation transcripts, effectively ending the operation by mid-2022.

Scripps Health Ransomware Attack 2021

The May 2021 Conti ransomware attack on Scripps Health — one of the largest US healthcare systems — is specifically named in the DOJ indictment of Maksim Galochkin ("Ajente"), a Wizard Spider member charged with three counts of hacking and deploying Conti. The attack forced diversion of ambulances, postponement of appointments, and disruption of patient records access across Scripps' network. The incident became a landmark example of ransomware attacks on healthcare representing a direct patient safety risk.

Post-Conti Dispersal — Black Basta and Successor Groups 2022–2025

Following Conti's 2022 collapse, core Wizard Spider members dispersed into successor ransomware operations. Black Basta emerged as the primary successor carrying forward Conti's double-extortion model and tooling, including repurposed Conti crypters and leaked code. Other former Conti affiliates migrated to Royal, BlackCat, LockBit, Karakurt, AvosLocker, and Silent Ransom. By 2025, Brandefense documented continued campaigns by residual Wizard Spider network elements targeting healthcare facilities, logistics companies, and pharmaceutical companies using phishing, supply chain vulnerabilities, and misconfigured cloud services.

Tools & Malware

Wizard Spider built one of the most sophisticated proprietary cybercrime toolsets in the threat intelligence record, covering every stage of the intrusion lifecycle from initial access through ransomware and money laundering.

TrickBot: The group's foundational banking trojan and botnet, descended from Dyre. A modular platform supporting webinject-based credential theft, network lateral movement (shareDll module), SQL database enumeration, credential dumping, and second-stage payload delivery. At peak, infected over one million systems globally. Officially discontinued by 2022 in favor of BazarLoader, though remnant activity continued.
BazarLoader / BazarBackdoor: A lightweight, stealthy loader deployed from April 2020 onward as TrickBot's replacement initial access tool. Communicated over DNS (Anchor_DNS) to evade detection. Designed to compromise enterprise networks and stage them for ransomware deployment without the visibility of a full TrickBot infection.
Anchor / AnchorMail: A sophisticated backdoor framework — separate from TrickBot — used for targeted enterprise intrusions. Anchor_DNS communicated via DNS for covert C2. AnchorMail used email-based C2. Shared with TrickBot gang affiliates including FIN6. A precursor to full Conti deployment in high-value targets.
Ryuk ransomware: A targeted ransomware operated by GRIM SPIDER from August 2018, designed for maximum ransom extraction from large organizations. Deleted Volume Shadow Copies, disabled backup services, and targeted backup systems directly before encrypting the environment. Demanded and received ransoms routinely in the millions of dollars.
Conti ransomware: Wizard Spider's scaled RaaS platform deployed from late 2019 through mid-2022. Asynchronous I/O file encryption for speed, double extortion with a dedicated leak site, and a structured affiliate program. Its source code and internal tooling leaked in the ContiLeaks 2022 disclosure and have since been recycled in multiple successor ransomware families.
Diavol: A ransomware strain linked to Wizard Spider by FortiGuard Labs in 2021. Shares structural similarities with Conti including asynchronous I/O file queuing. Used in parallel with Conti in some operations, though precise attribution was complicated by the absence of CIS exclusion checks present in Conti samples.
SystemBC: A proxy malware used as a covert communication channel for Conti operations, enabling encrypted C2 traffic. Deployed alongside Conti and BazarLoader to maintain persistent access in compromised environments and route operator traffic through compromised infrastructure.
Cobalt Strike: Commercial penetration testing framework used extensively for post-compromise lateral movement, privilege escalation, and command-and-control. Cobalt Strike beacons were a consistent presence in Wizard Spider intrusions between the TrickBot/BazarLoader infection and final ransomware deployment.

Indicators of Compromise

Selected historical IOCs from documented campaigns. Given the group's dispersal and infrastructure rotation since 2022, these serve primarily as attribution and historical reference anchors.

warning

Wizard Spider's infrastructure was substantially disrupted by Operation Endgame and predecessor takedown actions. Domain and IP IOCs from pre-2023 campaigns should be treated as stale. Behavioral indicators and TTP-based detection are more reliable for identifying post-dispersal activity by successor groups carrying forward Wizard Spider tooling and techniques.

indicators of compromise — behavioral and structural

behavior vssadmin delete shadows /all — pre-ransomware shadow copy deletion

behavior PsExec mass deployment of ransomware binary across AD-joined hosts

behavior Group Policy modification to distribute ransomware via domain-wide script

behavior DNS-based C2 beaconing (Anchor_DNS) — periodic subdomain query pattern

behavior svchost.exe child processes spawning from TrickBot injection — anomalous process tree

ransom note Ryuk: RyukReadMe.html / RYUK_README.txt — bitcoin wallet address per victim

ransom note Conti: readme.txt with .onion negotiation portal URL — double extortion with leak site

infra pattern TrickBot C2: high-volume residential IP ranges; group tags (gtag) in config files identify campaign clusters

Mitigation & Defense

Defending against Wizard Spider's toolkit requires controls at every stage of the intrusion lifecycle. The group's full-chain capability means any single defensive gap — from phishing through to backup access — can be exploited.

Email gateway and macro controls: TrickBot's initial delivery was overwhelmingly phishing-based. Disable Office macro execution from internet-sourced documents (enabled via Group Policy or Intune). Inspect and sandbox archive attachments. HTML smuggling requires behavioral detection rather than signature-based controls.
Privileged access architecture: The group's ransomware phase required Domain Admin access for maximum impact. Implement tiered AD administration (Tier 0/1/2 model), privileged access workstations, and Protected Users group membership for all high-privilege accounts. Limit who can run PsExec and restrict it via application control policies.
Volume Shadow Copy protection: Ryuk and Conti's first action before encryption is shadow copy deletion. Monitor for vssadmin.exe invocations deleting shadows, and consider solutions that maintain offsite or immutable backup copies that deletion commands cannot reach. Alert on wmic shadowcopy delete calls.
Group Policy change monitoring: Alert on GPO modifications that could distribute executables or scripts to domain members. Monitor Windows Event ID 5136 (directory service object modification) for changes to GPOs. Unauthorized GPO modification is a high-fidelity indicator of advanced intrusion.
DNS traffic analysis: BazarLoader and Anchor_DNS use DNS for C2. Monitor for high-volume, high-entropy subdomain queries to domains with low reputation or recent registration. DNS-based C2 often produces distinctive periodic query patterns that differ from legitimate DNS activity.
Network segmentation and backup isolation: Wizard Spider specifically targeted backup systems to prevent recovery. Ensure backup infrastructure is on isolated network segments with no trust relationship from production domain accounts. Test backup restoration procedures regularly — encrypted backups provide no protection.
Endpoint detection for Cobalt Strike: Cobalt Strike beacons are a consistent presence in Wizard Spider intrusions. Deploy EDR solutions with Cobalt Strike-specific detections covering process injection, named pipe usage, and reflective DLL loading. Named pipes used by Cobalt Strike (e.g., \\.\pipe\MSSE-* patterns) are detectable via EDR telemetry.
Disable or restrict lateral movement tools: Restrict PsExec, WMIC, and remote WMI to specific administrative accounts and systems where they have legitimate use. Alert on execution of these tools from non-administrative workstations or during off-hours. SMB signing enforced domain-wide prevents several TrickBot lateral movement techniques.

analyst note

Wizard Spider's importance to the threat landscape extends beyond its own operations. The group defined the big-game hunting ransomware model adopted by virtually every major ransomware group since 2019, established the RaaS affiliate ecosystem with Conti, and produced tooling — TrickBot, BazarLoader, Anchor, Conti — that persists in successor operations despite the group's formal dispersal. The May 2025 BKA naming of Vitaly Kovalev and issuance of an Interpol Red Notice is a significant law enforcement milestone, but jurisdictional barriers mean no arrest is imminent. Black Basta, the closest successor operation carrying Wizard Spider's tooling and TTPs, itself experienced an internal chat leak in early 2025 — reflecting the same organizational instability pattern that destroyed Conti. Core Wizard Spider tradecraft should continue to inform enterprise defensive architecture regardless of the group's formal status.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile