Overview: Wizard Spider conducts financially-motivated cybercrime. Closely linked with Exotic Lily, who specializes in the deployment of ransomware (including Conti and Diavol).
Suspected Attribution: Russia-based.
Target Sectors: A variety of large organizations, from tech companies to healthcare.
Attack Vectors: established persistence via Registry key, macros executing powershell scripts, exfiltration of credentials over c2, Base64 encoding for obfuscation, Kerberoasting.
Associated Malware: Bloodhound, Bokbot, Conti, Empire, Emotet, Grimagent, Metasploit, Ryuk, Trickbot.