Ransomware has become a multibillion-dollar industry, and roughly 15% of its business goes through a single group called Wizard Spider. This group – who are thought to work closely with the Russian government and remain under investigation by the FBI and Interpol – have used the “Conti” ransomware strain in more than 400 known attacks. While the media refers to the group as the "Conti Ransomware Gang," the group doesn’t view itself as a gang. The group would rather be viewed as a business.

A Booming Business
As they become larger and more profitable, criminal groups such as Wizard Spider often mimic legitimate business practices. Victim organizations are rebranded as "customers," extortion attempts become "negotiations," and criminal peers are called "affiliates." Their dedicated site on the Dark Web even has a collection of "press releases."

The group’s "business model" involves training independent affiliates in how to deploy the ransomware and then taking a 30% cut of the profits themselves. However, because exact profits are revealed to Wizard Spider and not their affiliates, this percentage is normally much higher.

One underpaid affiliate caught wind of the gang’s practices in August 2021 and began leaking their resources, declaring in protest, “they recruit suckers and divide the money among themselves.”

Meanwhile, the US government has taken measures to obstruct groups like Wizard Spider; beginning this year it will impose sanctions on cryptocurrency exchanges facilitating ransomware transactions.

However, these setbacks haven’t perturbed Wizard Spider, whose profits have continued to soar. Conventional cyber defenses have consistently failed to keep up with the group’s innovations in attack techniques – and so the organizations that employ them remain firmly in Wizard Spider’s target market.

How Wizard Spider Gets In
One of the group’s recent targets was a transportation company in the US. It took a single missed Microsoft patch and resulting ProxyShell vulnerabilities to leave the company open to attack. This is a relatively new exploit for Wizard Spider, who previously relied on phishing attacks and firewall exploits.

Two weeks after the initial breach, rare connections were made to an unusual endpoint in Finland using an SSL client that appeared innocuous. The endpoint was not known to threat intelligence tools at the time, meaning rules and signature-based security tools didn’t know what to detect.

Going Public With Conti News
If you refuse to pay its ransom, Wizard Spider will not only take your most important files from you, but the group will also exfiltrate and publish them using its dedicated "Conti News" website or sell them directly to your competitors. This is double extortion ransomware, and it’s the Conti gang’s favorite new sales tactic.

In the transportation company's case, three terabytes of company data was uploaded over four days, and then rapidly encrypted. Encryption began at almost midnight, meaning human security teams weren’t available to organize a response – the ransomware "business" never respects business hours. The next morning, the company was met with a ransom note.

The company was able to investigate and connect the dots of the attack using Darktrace’s security AI tool. The security tool’s natural-language report brings disparate events into a cohesive attack narrative

How Ransomware Attackers Evade Cyber Intelligence
It’s all too easy for threat actors to alter the infrastructure of their attacks, and in this case something as simple as a new endpoint was enough to beat threat intelligence. This is how Wizard Spider continues to thrive, and it’s a problem that governmental sanctions and defecting insiders are fundamentally unable to address.

Organizations need to take matters into their own hands with a new approach. By using AI that learns what normal business operations look like, anomalous behavior that inevitably arises from a ransomware attack can be identified at every stage, even when it’s using never-before-seen attack methods.

And in an era of fast-moving cyberattacks and threat actors deliberately striking when security teams are out of the office, AI technologies have become essential in taking targeted action to contain threats, without interrupting normal business.

If leaks or legislation were to bring down Wizard Spider, other groups would simply rise up to fill the gap in the market. Ultimately, ransomware must be made unprofitable if it’s to be stopped. One way to do that is to use AI to stop ransomware attacks at every stage of their attacks, weeks before human analysts can.