Cold Open
The following presentation is not suitable for young children. Listener discretion is advised.
On July 16, 2019, Teiranni Kidd experienced the same sensation that about 400,000 people on Earth would also feel that day: she went into labor.
So, the former high school track star did what many of those folks did. She checked herself into the nearest hospital: Springhill Memorial, in Mobile Alabama.
Teiranni had every reason to expect a safe and healthy delivery. She had every reason to expect excellent care from Springhill.
Only, not all was well at Springhill.
Eight days earlier, Springhill was hit by a ransomware attack—cyber criminals infiltrated Springhill’s network and downloaded malicious software called malware onto its servers. The cyber criminals then encrypted Springhill’s network, making it impossible for doctors and nurses to access patient records. They also shut down Springhill’s computers, rendering them useless—unless Springhill paid tens of thousands of dollars.
Meanwhile, its doctors, nurses, and other employees scrambled to adjust to a new normal: paper-based medical records. In some cases, they literally had to draw graphs representing patients’ vital signs. This is called “paper charting.” As you can imagine, nurses haven’t had to do this for decades. The older nurses on staff had to quickly teach the younger nurses how to paper chart while also keeping their patients alive.
But Springhill told Teiranni none of this. Publicly, the hospital insisted that it had merely suffered a “security incident,” which wouldn’t affect patient care.
Teiranni was admitted to the hospital and given a room. Normally, Teiranni’s and her baby’s vital signs would have been displayed on a bank of monitors at the nurse’s station, along with all the other patients’ on the ward. Every nurse and doctor could see it and respond to an emergency.
But today, a single printer was designated to print out alerts about any anomalies, and a single nurse was assigned to monitor it.
This is how nobody realized that Teiranni’s unborn baby was losing oxygen. This is why Teiranni didn’t get a C-section
Teiranni gave birth to her daughter, Nicko Sila. When Nicko was born, her umbilical cord was wrapped around her neck. She sustained brain damage.
The attending physician would later text the head nurse demanding an explanation: “I need u to help me understand why I was not notified,” she wrote. “This was preventable.”
Teiranni was devastated, of course. In December, Teiranni and Nicko took family photos celebrating their first Christmas together. The following April, Nicko passed away.
Teiranni wanted justice. The week after Nicko’s birth, she filed a lawsuit against Springhill, seeking damages for her daughter’s condition. But she also wanted answers.
Teiranni didn’t know it yet, but she and her daughter were two victims among thousands. Springhill was just one of hundreds of hospitals hit with ransomware—and all of these attacks could be traced back to the same place: Russia—and specifically, one of the most successful cybercrime gangs in the world. One that would come to be known as “Wizard Spider.”
On this episode: ransomware, Russia, and the lucrative world of online extortion.
I’m Keith Korneluk and you’re listening to Modem Mischief.
You're listening to Modem Mischief. In this series we explore the darkest reaches of the internet. We'll take you into the minds of the world's most notorious hackers and the lives affected by them. We'll also show you places you won't find on Google and what goes on down there. This is the story of Wizard Spider.
Hey everybody! We've been getting some emails and DM's coming in with ideas for new shows. I'm here to tell you that I love that. If there's a story or topic you'd like for us to cover on Modem Mischief, slide into our DM's or email me directly at keith@modemmischief.com. My suggestion box is always open to our listeners. I appreciate not just the feedback but also the suggestions. That's why we make the show. And, while you're emailing, leave us a 5-star review on your podcast player as well as a review (if that's a feature). It helps the show and feeds my ego just enough to keep me moving but not enough to become a narcissist. Oh, one more thing: if you'd like to support the show, consider becoming a patron on Patreon. For just $5/month you'll receive an ad-free version of the show plus bonus episodes exclusive to subscribers. We've got....16 of them now. Head over to patreon.com/modemmischief. You can also support us through a paid subscription on Apple Podcasts. That's it everybody. And now...on with the show!
Act One
Today, ransomware is responsible for about $20 billion in damages annually. But how did things get to this point? And why is Russia such a ransomware hotbed?
It’s all because someone didn’t get a job.
That someone was Dr. Joseph Popp. Dr. Popp was an AIDS researcher with a degree in evolutionary biology from Harvard. In 1989, he applied for a job at the World Health Organization. He was denied. Dr. Popp was outraged and wanted revenge.
He decided to exact that revenge on the worldwide community of AIDS researchers. He developed a program that would encrypt files on a computer, calling it “PC Cyborg Trojan.” Dr. Popp hid this Trojan on a 5.25-inch floppy disk, which he labeled the “AIDS Information Introductory Diskette.”
Dr. Popp made 20,000 copies of these floppy disks, costing him $10,000. Then, he obtained the mailing list for the magazine PC Business World, which he knew many AIDS researchers subscribed to. Dr. Popp packaged the disks into 20,000 envelopes, labeled them with 20,000 addresses, and mailed them into the world.
Thousands of unsuspecting AIDS researchers slipped these disks into their computers, thinking they held important AIDS research. Dr. Popp’s Trojan laid dormant until the user rebooted their computer 89 times. On the 90th reboot, it would only display a message warning them that their files were encrypted. To unlock them, victims had to send $189 to a P.O. Box in Panama.
Only…it wasn’t as scary as it seemed. Tech savvy victims quickly learned that the Trojan’s encryption was amateurish. One IT person in Belgium created a decryption key in just 10 minutes and released it for free. Still, more than 1,000 computers were infected, and some researchers lost their life’s work
As for Dr. Popp, the law eventually caught up to him. He was charged with several counts of blackmail and had a nervous breakdown. While in prison, he was observed wearing cardboard boxes like clothing, putting rollers in his hair to protect against radiation and micro-organisms, and hanging condoms on his nose (and I’m not here to kink shame but I’m pretty sure condoms are supposed to be worn elsewhere..or maybe not at all). As a result, he was deemed unfit for trial.
This might have been the end of the history of ransomware. For the 90’s and early 2000’s, few criminals used it to extort people. True, encryption technology got better than Dr. Popp’s primitive attempt. But the problem was money. Criminals had no way to securely transfer money online without being traced.
This changed when Satoshi Nakamoto mined the first Bitcoin in 2009—and if you’d like to learn more than you ever wanted to know about Bitcoin and the history of crypto, check out episode 41 about Ruja Ignatova aka Crypto Queen and One Coin.
Suffice to say, Bitcoin offered a (mostly) secure way for criminals to accept a ransom payment. Soon, ransomware would become a thriving business, mainly centered in Russia.
But why is Russia such a hotbed of cybercrime? In short, the Soviet Union created a top-notch education system, especially for computer engineering.
But then, the Soviet Union dissolved in December 1991. Russia’s economy collapsed. As a result, a generation of highly educated computer programmers couldn’t find work—legal work, anyway.
And then Vladimir Putin was elected president in 2000. Under Putin’s leadership, Russia turned a blind eye to its growing cybercriminal community, so long as cyber crooks obeyed three rules:
1. Don’t hack Russian targets
2. Give Russia a cut of the proceeds, and
3. If Russia needs a favor, you do it.
Which brings us to the ransomware group Wizard Spider.
Point of clarification. Wizard Spider got its name from the cybersecurity firm Crowdstrike. We still don’t know what Wizard Spider’s members call the group.
Crowdstrike coined the name in 2020, at least five years after Wizard Spider was operational. Before this, it was referred to by the names of the malware it uses: Dyre, Trickbot, Ryuk, or Conti. Yes, it’s confusing (not to mention hard to pronounce).
We also don’t know the names or identities of many of its members. This is often case with stories about cybercriminal groups, especially those located in and protected by countries hostile to the United States, like Russia,
And we can only tell you about a small slice of the crimes Wizard Spider has committed. Partly, this is due to time constraints. Wizard Spider has committed thousands of ransomware attacks. But it’s also because we don’t know exactly how many crimes it’s committed. Many of the companies Wizard Spider attacks decide to keep the security breach to themselves so as not to appear vulnerable. They simply pay the ransom, upgrade their systems, and move on.
Having said all that, there’s a lot we do know about Wizard Spider. This isn’t some small-time outfit of geeks living in their parents’ basements. Wizard Spider functions more like a corporation than a criminal gang, divided into teams with different responsibilities.
It’s unknown exactly how many members belong to Wizard Spider, but probably a couple hundred. They would often be recruited online, from hacker forums on both the clear and dark web. Some recruits knew they were joining a criminal gang, while others were kept in the dark.
Most lived in Russian cities like St. Petersburg and Moscow, but some lived in former Soviet countries like Belarus and Ukraine. Almost all were men between ages 25 and 40. They joined to make money, and to stick it to what they saw as arrogant American corporations.
One such member was Vladimir Dunaev. Born Russia in 1983, he was part of that generation of Russian computer programmers who struggled to find work. For Wizard Spider, Dunaev specialized in developing web browser extensions that concealed the gang’s malware from antivirus software.
Another was Alla Witte. She was born in Latvia in 1966 and learned computer programming relatively late in life, after she had two children. When her first husband died, she was forced to move to the South American country of Suriname. Desperate for work, she accepted an $800/month gig from Wizard Spider, unaware of what the group actually did.
Whenever the group started, and whoever was involved, their first criminal activities began around Halloween 2014.
Their first attacks were relatively simple. Say Wizard Spider wanted to rob a corporation called “Company A.” A Wizard Spider operative would start with a spear phishing email—they would message hundreds of Company A employees inviting them to open an email attachment. It would have a harmless title, like “Invoice.” In reality, the attachment would be infested with malware, which would soon spread throughout Company A’s system.
In the early days, Wizard Spider used a malware called “Dyre,”—spelled D-Y-R-E. It was programmed to monitor hundreds of banking websites. Once any Company A employee tried to log onto any of the company’s bank accounts, Dyre would generate an error message saying the bank was experiencing technical issues. It would direct the Company A employee to call the bank’s customer service hotline to sort it out.
Of course, the customer service number was controlled by Wizard Spider.
This way, Wizard Spider would harvest banking info for companies like the American paint giant Sherwin-Williams. A couple days before Halloween 2014, a Sherwin-Williams employee noticed about $6.45 million were transferred from its corporate account to organizations across China, Latvia, Liechtenstein and the Netherlands. Obvious fraud.
Other victims include the Irish budget airline RyanAir, which Wizard Spider soaked for $4.8 million, and an Ohio-based engine parts company called Miba Bearings US, which lost $4.8 million. Dozens more unnamed companies lost up to $1.5 million each.
By 2015, Wizard Spider was responsible for more than a quarter of the world’s financial cybercrime.
But despite this initial success, Wizard Spider’s operations were over almost as quickly as they began.
In November 2015, Reuters reported that Russia’s Federal Security Service, or FSB, arrested several members of Wizard Spider.
Of course, this report couldn’t rely on firsthand sources. The FSB certainly wasn’t going to speak to a Western news agency. As a result, the number of people arrested and their names are unknown.
The FSB didn’t explain why they were arresting the group. Like we said, there are three ways a Russian hacking group can run afoul of the law in Russia:
1. Hacking Russian targets
2. Not giving Russia a cut of the proceeds
3. Or refusing a request to hack on Russia’s behalf.
Wizard Spider hadn’t hacked anyone in Russia. And it’s unlikely the Russian government would have tried to use a group as new as Wizard Spider as one of its proxies.
That left the second option: not giving Russia a cut. Further lending credence to this theory is the fact that the FSB released everyone soon after the arrests, without charges. The FSB clearly didn’t want to punish them. It just wanted to remind them that Mother Russia always gets a taste.
After the FSB set them straight, Wizard Spider changed tactics.
First, it replaced Dyre with a network of hacked computers called “Trickbot.”
It had many uses. Yes, Trickbot could still be used to steal banking information. But it could also be used to deploy ransomware. One nasty variety was called Ryuk. Named after a demon from Japanese anime, Ryuk was especially dangerous because it could encrypt entire network drives as well as data.
With Ryuk and Trickbot, Wizard Spider could now conduct ransomware attacks more effectively. Like we said, this was a relatively new tool in a cybercriminal’s toolbox. By mid 2018, when Wizard Spider began using Ryuk, the average ransomware payment was just $6,000.
This meant nothing to a company like Sherwin-Williams, worth $30 billion. So, when it came to ransomware, Wizard Spider focused on smaller targets with limited resources: school districts like Avon and Coventry in Ohio. Local governments like that of Lake City, Florida. Or regional hospitals like Springhill Memorial, where Teiranni Kidd’s daughter Nicko Silar’s daughter was born with brain damage.
Within two years, the average ransomware payment would rise from $6,000 to $230,000.
But what else was going on in late 2019 and early 2020? If you’re a human being, you probably remember the COVID-19 pandemic.
COVID would only make Wizard Spider’s victims more desperate. Hospitals especially, but also schools that would need to offer virtual learning, or governments that would need to conduct business.
Now, at this point in the story, you might be wondering, who besides Russia’s FSB was doing anything about this?
As usual, the cybersecurity community was way ahead of the cops in studying and identifying Wizard Spider’s activities and members.
One such expert was Lawrence Abrams.
He was the founder of the cybersecurity news website BleepingComputer.com. The son of New York City garment workers, he was drawn to computers as a child. He’d been tracking ransomware since 2012. His site was both a leading authority on the subject as well as a gathering place for ransomware experts and cybersecurity professionals. Abrams himself communicated with several ransomware gangs regularly.
On St. Patrick’s Day 2020, few people were out celebrating due to the oncoming COVID crisis. That day, Abrams emailed several ransomware gangs, including Wizard Spider.
His message was simple: Stop attacking hospitals and other medical facilities for the duration of the pandemic. Too many lives are at stake.
The next day, he received many responses. The first was from DoppelPaymer, a ransomware gang primarily located in Germany and the Ukraine:
“We always try to avoid hospitals, nursing homes, not only now. If we hit a hospital by mistake, we will decrypt for free.”
A second, unnamed group wrote back: “We work very diligently in choosing our targets,” We never target nonprofits, hospitals, schools, government organizations.”
A third group, Maze, posted a reply directly to its own website: “We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus.”
But Wizard Spider never replied. If anything, COVID would only make the group bolder—and more dangerous.
Act Two
By September 2020, COVID-19 was rampaging across the United States, with almost 7 million cases reported around the country. This pushed an already strained healthcare industry to the limit. Hospitals were facing shortages in open beds and critical supplies, while hospital workers were overworked, exhausted, and exposed to potentially deadly COVID infections daily.
One healthcare company enduring this strain was Universal Health Services. Unless you’re a healthcare professional or you follow the stock market, you probably haven’t heard of UHS.
Based in King of Prussia, Pennsylvania, a small town outside Philadelphia, UHS manages more than 400 hospitals, behavioral health centers, labs, and pharmacies across the US, Puerto Rico, and the UK. In 2019, it served 3.5 million patients and brought in $11.4 billion in revenue.
In other words, UHS was much bigger than the small regional hospital networks that Wizard Spider typically attacked.
Around 2 a.m. on September 27, 2020, eastern time, employees at UHS facilities around the world began having trouble with their computers. Nurses would find that computers began slowing down before stopping entirely, and they were unable to turn them back on. Worse, the company’s IT specialists noticed that files were being encrypted—a mysterious program was changing file extensions to .ryk—evidence that the Ryuk malware was involved.
Worse than that, those front-line employees got no word from corporate on what was happening or what to do. They took to Reddit, where they posted anonymously about their situations. Slowly, they pieced together that the entire company was the victim of a cyberattack.
Nurses, doctors, pharmacists, and other UHS employees were forced to rely on pen and paper records to keep track of patients’ medication, medical histories, and surgical schedules—just like we saw at Springhill Medical Center and scores of other small hospitals.
Fortunately, this time no one died.
Almost immediately, the cybersecurity community attributed the attack to Wizard Spider, thanks to its use of Ryuk. UHS’s IT department needed three weeks to get the company up and running again. Overall, attack cost UHS $67 million in IT repairs and lost revenue, and it’s unknown if it paid the ransom.
But the UHS attack reflected a shift in Wizard Spider’s tactics. Gone were the days of stealing banking information, as well as the days of small-time ransomware attacks. Now, they were focusing on so-called “big game” hunting—or, holding large corporations and organizations ransom. Universal Health Services was just the start.
Naturally, this just made Wizard Spider more conspicuous. The cybersecurity community was already monitoring its activities. UHS was cooperating with the FBI, which brought the case to the Justice Department’s attention, too.
But these cyber-attacks started in 2014. Why was the Justice Department only doing something about it six years later?
Since 9/11, the federal government’s top priorities were terrorism and counterintelligence, with cybercrime a distant third.
But that would change with the 2016 Presidential Election.
. Like we covered in episode 6, Russian government-backed hackers assisted Donald Trump by stealing embarrassing emails from the Hillary Clinton campaign and the Democratic National Committee, then gave them to Wikileaks to publish, contributing to Hillary Clinton’s surprise loss.
Trump might have welcomed this assistance, but hundreds of Americans in government and law enforcement were now aware of the threat posed by Russia, and other antagonistic countries. And those Americans in government and law enforcement were free to do something about the Russian threat.
One such agency was the United States Cyber Command, or USCYBERCOM. It was created in 2009 as part of the National Security Agency, and became its own agency in 2017.
USCYBERCOM’s original mission was to protect the Defense Department’s computer network from cyberattacks. But over the following decade, USCYBERCOM evolved into a more aggressive, forward-thinking operation. By 2020, instead of waiting passively for America’s enemies to disrupt its computer networks, USCYBERCOM was attacking them first.
Which brings us back to Wizard Spider and the September 2020 attack on Universal Health Services. By this point, Wizard Spider extorted scores of companies for millions of dollars. Even so, that was hardly the sort of thing that got the attention of the American military.
Instead, USCYBERCOM was concerned that Wizard Spider could use Trickbot to disrupt the upcoming election between Trump and Joe Biden, which was about a month away.
Trump might have welcomed more Russian election interference, but USCYBERCOM wasn’t having it.
And so, on September 22nd, 2020, cybersecurity experts monitoring the servers that hosted Trickbot noticed something strange.
Trickbot’s network was run on more than 1 million hijacked computers. Wizard Spider controlled them with a “command and control” server. But that night in September, the cybersecurity community watched in stunned awe as Trickbot’s command and control servers stopped communicating with its network. Clearly, someone had infected Trickbot with malware, turning the tables on the ransomware criminals.
A few weeks later, four anonymous members of the USCYBERCOM team confirmed to The Washington Post that the agency was responsible for the disruption.
True, this was hardly a hiccup, as far as Wizard Spider was concerned. Its activities were back online within a day.
Yet this was a turning point. USCYBERCOM wasn’t just disrupting Trickbot. It was also gathering information on Wizard Spider and its members, using methods still not disclosed to the public. It passed this information onto the FBI and the Justice Department, which now could finally begin its prosecutions.
Wizard Spider showed no sign of slowing down, but things would never be the same.
Election Day came on Tuesday, November 3rd, while COVID-19 continued to rage. It took four days of counting ballots, many of them absentee, until Joe Biden was declared the winner. Trickbot played no role in the result.
As far as cybersecurity was concerned, President Biden enthusiastically supported the ongoing efforts to disrupt and prosecute Wizard Spider. But he had his work cut out for him. Soon, Wizard Spider struck again.
The Baltimore County Public School System is the country’s 24th largest school district, which serves 115,000 students. Three weeks after Biden’s victory, Wizard Spider hit the BCPSS with Ryuk, encrypting files and forcing all online learning to stop for three days. BCPSS still hasn’t indicated whether it paid Wizard Spider’s ransom, but recovering from the cyberattack cost $10 million.
Also around this time, Wizard Spider began to discontinue the use of its Ryuk ransomware and instead conducted its attacks using a new strain called Conti.
Like many details in this story, the origins of Conti, and Wizard Spider’s reasons for replacing Ryuk with it, are murky. As one cybersecurity reporter puts it, “Criminals are not known for telling the truth, but what they say is usually the only explanation for a disappearance. Even if it is a lie.”
Conti first appeared in February 2020, and it appeared to be a separate Russian criminal gang. The major difference between Conti and Ryuk was that Conti was run on a “Ransomware as a Service” model—in other words, Conti paid third-party affiliates to actually execute its ransomware attacks.
So, it’s possible Conti really was a separate criminal gang Wizard Spider absorbed. However, further analysis revealed that Conti borrowed much of its source code from Ryuk. Which meant, most likely the same people were behind it.
While Conti was a more sophisticated version of Ryuk, it certainly wasn’t an entirely new malware strain. So, why would Wizard Spider go to all this trouble? Likely, it was a ruse to throw off investigators, who were still struggling to catch up.
Using Conti, Wizard Spider would be responsible for hundreds more ransomware attacks. One of the most prominent came on St. Patrick’s Day 2021.
The people of Ireland definitely weren’t out celebrating, not more than a year into the COVID-19 pandemic. By then, Ireland had 230,000 COVID cases out of a population of 5 million.
This meant that Ireland’s publicly funded healthcare system, the Health Service Executive, or HSE, was under considerable strain.
Some time in January 2020, an HSE employee received a phishing email with an excel attachment, which they unwittingly opened. This downloaded Conti onto the system. It would lurk for 8 weeks—called its “dwell time”—until that fateful St. Patty’s day, when thousands of HSE employees opened their computers only to find the following message:
All of your files are currently encrypted by Conti strain. As you know, if you don’t just ‘Google It,’ all of the data that has been encrypted by our software cannot be recovered by any means, without contacting our team directly.
There were links to two websites, one on the dark web and one on the clear, ContiRecovery.best. The message continued:
You should be aware, just in case if you try to ignore us, we downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.
70,000 computers were infected, at 4,000 locations, 54 hospitals, amounting to 80% of systems encrypted. Additionally, 700 gigs of personal data were stolen, including personal information about patients and employees, and now were being held as collateral.
In this case, the Irish government responded by literally deploying the military. The HSE immediately contacted the Irish Defense Forces’ Communications and Information Services Corps to ask for help with decrypting the files. The Irish military deployed members of the Army Reserve who were also so-called “ethical hackers,” thanks to their day jobs working in cybersecurity.
Still, it took until September for the HSE to regain access to 95% of its files, and it cost the HSE more than $600 million.
Only, not all was going well for Wizard Spider. The attack on the HSE was Wizard Spider’s biggest and most destructive yet. Yet according to messages later discovered by investigators, some members of the group weren’t on board with attacking a hospital.
Apparently, the HSE attack was the work of a rogue member who went by the name “Dollar.” Dollar’s supervisor wrote to their boss, who went by Mango, to inform him that Dollar issued the attack without permission.
Dollar is an asshole! the supervisor wrote. He then told me that he agreed with you to hack the hospital. And now he put the hospital again. This is disrespect. Two times I told him we do not touch the medical sector.
Hearing this, an angry Mango confronted Dollar:
You are more problems than good. Everyone complains about you and gets angry. You’ve damaged Conti’s reputation by targeting hospitals.
Never mind that Wizard Spider had already been attacking hospitals for years.
On top of the group’s internal dissent, it was also making many, many enemies. Thanks to the earlier Ryuk attacks, Wizard Spider was already the subject of investigations by the United States Cyber Command, the US Justice Department, other legal systems around the world, and dozens of corporations and cybersecurity companies.
And by mid-2021, those investigations were starting to pay off. That summer, the FBI identified and caught two members of the Wizard Spider gang, both of whom had participated in the group’s original banking Trojan attacks.
There was Vladimir Dunaev, the expert in browser extensions. He was apprehended while traveling in South Korea and extradited to the US.
And there was Alla Witte, the 55-year-old Latvian mother of two who didn’t even know what she was signing up for. She was extradited from her new home country of Suriname.
Also that summer, President Biden publicly confronted Vladimir Putin during a phone call and demanded he stop turning a blind eye to Russia’s many ransomware groups. While Putin had grown accustomed to manhandling Biden’s predecessor, Biden was much more confrontational. Putin was also in an increasingly weak position, internationally. Russia would eventually placate Biden by arresting another Ransomware gang, REvil, as well as one of the hackers responsible for the Colonial Pipeline Hack. But as we’ll see, Putin had his own reasons for doing so.
Internal strife, arrests, counterattacks, and repeated public shaming were all bad news for Wizard Spider. But early 2022, Putin would make a desperate gamble, and everything would soon fall apart.
Act Three
On January 13, 2022, Microsoft’s Threat Intelligence Center began receiving a disturbing series of reports. Several government computer systems in the Ukraine were displaying the following message:
Your hard drive has been corrupted. In case you want to recover all hard drives of your organization, You should pay us $10k via bitcoin wallet. We will contact you to give further instructions.
It was yet another ransomware attack with apparent ties to Russia. Microsoft has never divulged which government agencies were hit, but would only say that they “provide critical executive branch or emergency response functions” in the Ukraine.
Only…not everything was like it seemed.
Because just 29 days later, on February 24, men in camouflage took over border crossing between Crimea and the Ukraine.
Then, at 4:50 a.m., Vladimir Putin made an emergency speech to his nation, saying:
“I have decided to conduct a special military operation … to protect people who have been subjected to abuse and genocide by the Kiev regime for eight years.”
This was a reference to Ukraine’s alleged persecution of Russian citizens in its Donbas region, but it’s largely been proven to be baseless.
Putin’s speech also accused the Ukrainian government of Vlodymyr Zelenskiyy to be a “neo-Nazi junta”
Minutes later, missiles and artillery began hitting targets outside the Ukrainian cities of Kiev and Kharkiv, and the war was on.
Now back to that supposed Ukrainian ransomware attack. It was quickly determined that the attack was carried out on the orders of the Russian government. Money wasn’t the objective; the goal was to disrupt the Ukrainian government. The timing was just too suspicious to be coincidental.
On top of that, on January 14th, literally one day after the supposed ransomware attacks in the Ukraine, Putin ordered the arrests of the REvil ransomware gang. In hindsight, this was an obvious smokescreen. Putin, and Russia, couldn’t be responsible for any cyber-shenanigans in the Ukraine, because he was already busy cleaning up cyber-shenanigans at home. See? You can trust him.
And if you believe that, Modem Mischief has some lovely beachfront property in Siberia that we’d love to sell you.
Wizard Spider wasn’t responsible for that particular ransomware attack, and it’s unknown if it participated at all in the invasion of Ukraine—although it’s likely.
But even if Wizard Spider wasn’t involved, we do know that many of its members supported the war—and this is exactly what led to its downfall.
The day after the invasion, the group running the Conti ransomware posted a message on its website.
The message read:
The Conti team is officially announcing a full support of the Russian government. If any body will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy.
A pro-Putin message would seem like a smart idea, but it backfired.
Like we said, Conti and Wizard Spider were based in Russia, but not only Russia. Some members hailed from places like Belarus, Latvia, or yes, the Ukraine.
Within days of Conti’s pro-war statement, an anonymous user signed up for a Twitter account called “Conti Leaks” and began publishing internal chat messages from the Conti RocketChat channel, which is like Slack or Discord. 200,000 in total.
It’s never been confirmed who this leaker was. Some reported that they were a disgruntled Conti team member who went rogue. Other claims they were a Ukrainian security researcher.
Either way, these chat messages gave an unprecedented look at the inner workings of a Russian ransomware group. Yes, the Conti team members discussed the technical aspects of their malware, and argued over whom they should be targeting, and discussed their negotiating strategies.
But they also talked about everyday things, like life, pop culture, and politics. Based on the chat messages, it was clear that many members truly did support the war in Ukraine and believed Putin’s claims about Zelenskiyy running a neo-Nazi dictatorship. In one exchange, when a member pointed out that Zelenskiyy is Jewish, and that his grandfather fought the Nazis, the chatroom devolved into anti-semitic jokes.
Naturally, the release of 200,000 chat messages caused Wizard Spider’s members to panic. Many left the organization and went on to work with smaller ransomware groups.
But those who remained at Wizard Spider and its Conti ransomware team had a plan to make one last big score.
In April 2022, two months after the publication of its documents, the Conti team launched its biggest ransomware attack yet—when it tried to hold the entire nation of Costa Rica at ransom.
Conti launched the first probes on April 10th. By the 18th, they’d broken into the servers for the Ministry of Finance, encrypting files and disabling both the digital tax service and the IT system for customs control.
This essentially paralyzed the country’s import/export industry, costing Costa Rica up to $38 million per day.
The Conti team demanded a ransom of $20 million, which Costa Rica refused to pay, then lowered it to $15 million, which the country also declined.
The ransomware gang continued attacking the Ministry of Labor and Social Security, as well as state and local governments across the country.
Weeks after the attack, most files were still encrypted. When Rodrigo Chaves won Costa Rica’s presidential election in May, he declared a state of emergency for the ransomware attack and effectively declared war on the group.
But Conti wasn’t done. Weeks later, they attacked the Costa Rican Social Security Fund (CCSS), which controls the country’s healthcare. Just like we saw in the US, Ireland, and many other countries, this ground Costa Rica’s healthcare system to a halt.
It’s unknown how much the Conti attacks cost Costa Rica in the end, but definitely hundreds of millions of dollars—even if none of that included a ransom payment.
But this attack would be a miscalculation on Conti’s part for yet another reason: The United States finally had enough.
The US pledged $25 million to help Costa Rica rebuild its computer systems. It also offered a $10 million reward for information on Conti’s leadership, and another $5 million for information leading to Conti members’ arrests.
Less than a year later, the US government was finally ready to name names.
In February 2023, the Treasury Department formally sanctioned seven members of Wizard Spider, specifically the Conti ransomware team. This allowed the US Office of Foreign Asset Control to seize their assets—although admittedly that’s only the assets they can actually find and get their hands on.
In June, the Justice Department issued indictments against those seven plus an additional two Wizard Spider members, along with their criminal aliases, dates of birth, and email addresses.
Mango, the Conti team leader who scolded his renegade employee for attacking the Irish Health Service Executive, was identified as MIKHAIL TSAREV. The other eight named members include:
ANDREY ZHUYKOV,
MAKSIM GALOCHKIN,
DMITRY PUTILIN,
SERGEY LOGUNTSOV,
MAX MIKHAYLOV,
MAKSIM RUDENSKY,
VALENTIN KARYAGIN,
And MAKSIM KHALIULLIN,
Yet…like we’ve seen before, there was no way Putin would allow any of those nine men to be extradited. At best, the US could hope one of them would travel to an allied country that would extradite them, but now that they were being put on blast, that was unlikely.
The bigger victory was the decline of the use of Conti and its malware network, Trickbot. Not because the US or other countries dismantled it; but because they just became too well-known to use.
Technically, these indictments marked the end of Wizard Spider—but ransomware is far from over.
Act Four
Unless you’re a British accountant, you’re probably not too familiar with Zellis, a company that provides payroll services.
As of June 2023, Zellis was using a popular file transferring program called MoveIt.
Problem was, hidden in MoveIt’s code was a security flaw, one that was already known on the dark web.
And so, that June, many of Zellis’s clients, like British Airways and the BBC, received a message: a group of online criminals had exploited MoveIt’s security flaw to steal several terabytes worth of information.
But who was this criminal group? They didn’t match the MO of any previously known hacking group.
The cybersecurity community didn’t have much trouble finding an answer. Within days, a Russian ransomware gang called C10P, pronounced “Clop,” took responsibility for the hack.
Other victims began coming forward. These included public officials in Illinois, Nova Scotia, Johns Hopkins University, the University System of Georgia, and the European oil and gas company Shell. Even some US Federal agencies were breached, like the US Department of Energy.
Nobody paid the hackers’ ransom, and to this day the hackers supposedly still have all of that data.
But notice that none of Clop’s ransomware attacks involved encrypting files, and instead focused on holding information hostage. This is because so many victims of the attacks done by groups like Wizard Spider refused to pay ransoms that the need to encrypt files essentially disappeared. This is how ransomware is evolving in 2023.
In the end, it’s impossible to calculate how much damage Wizard Spider actually did. In 2021 alone, the Conti ransomware team attacked 1,000 victims and earned $180 million in ransom payments. Given that Conti, and its predecessor Ryuk, were both among the most successful ransomware programs in the time they were in operation—roughly 2018 to 2022—the gang’s overall haul must be many times that.
Then there’s economic cost of Wizard Spider’s activities. Like we said, their victims included everyone from small city governments to multi-national corporations to national health services and even entire countries. Given that the Irish HSE attack alone cost $600 million to repair, the total number is many billions.
It may be true that the overall revenue of ransomware is falling—ransomware gangs took in $300 million less in 2022 than they did in 2021—but it remains a lucrative criminal enterprise. And it always will, so long as gangsters can keep tricking people into downloading suspicious email attachments.
So, keep that spam filter updated, or you might find yourself caught up in the spider’s web.
CREDITS
Thanks for listening to Modem Mischief. Don’t forget to hit the subscribe or follow button in your favorite podcast app so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. And another way to support us is on Patreon. Just go to patreon.com/modemmischief or click the link in the show notes. You can also support us through a paid subscription on Apple Podcasts. For as little as $5 a month you’ll receive an ad-free version of the show plus bonus episodes exclusive to subscribers. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jim Rowley. Edited, mixed and mastered by Greg Bernhard aka Wizard Spitter. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!