Skip to content

G0102 Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.316

Item Value
ID G0102
Associated Names UNC1878, TEMP.MixMaster, Grim Spider
Version 2.1
Created 12 May 2020
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
UNC1878 5
TEMP.MixMaster 2
Grim Spider 34

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account Wizard Spider has identified domain admins through the use of “net group ‘Domain admins’” commands.8
enterprise T1557 Adversary-in-the-Middle -
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.5
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Wizard Spider has used HTTP for network communications.4
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Wizard Spider has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.15
enterprise T1547.004 Winlogon Helper DLL Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.5
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Wizard Spider has used macros to execute PowerShell scripts to download malware on victim’s machines.4 It has also used PowerShell to execute commands and move laterally through a victim network.1510
enterprise T1059.003 Windows Command Shell Wizard Spider has used cmd.exe to execute commands on a victim’s machine.8
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.4
enterprise T1074 Data Staged Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules.4
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Wizard Spider has exfiltrated victim information using FTP.87
enterprise T1041 Exfiltration Over C2 Channel Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.4
enterprise T1210 Exploitation of Remote Services Wizard Spider has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities.589
enterprise T1133 External Remote Services Wizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.5
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.001 Windows File and Directory Permissions Modification Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.11
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.158
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.4
enterprise T1570 Lateral Tool Transfer Wizard Spider has used stolen credentials to copy tools into the %TEMP% directory of domain controllers.4
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.4 It has also used common document file names for other malware binaries.5
enterprise T1112 Modify Registry Wizard Spider has modified the Registry key HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory.4
enterprise T1135 Network Share Discovery Wizard Spider has used the “net view” command to locate mapped network shares.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.28
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Wizard Spider has obtained and used publicly-available post-exploitation frameworks and tools like Metasploit, Empire, Mimikatz.5
enterprise T1588.003 Code Signing Certificates Wizard Spider obtained a code signing certificate signed by Digicert for some of its malware.7
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager Wizard Spider has acquired credentials from the SAM/SECURITY registry hives.5
enterprise T1003.003 NTDS Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database.5
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar.410
enterprise T1566.002 Spearphishing Link Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.17
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.17
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Wizard Spider has used RDP for lateral movement.417
enterprise T1021.002 SMB/Windows Admin Shares Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.78
enterprise T1021.006 Windows Remote Management Wizard Spider has used Window Remote Management to move laterally through a victim network.1
enterprise T1018 Remote System Discovery Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used AdFind and nltest/dclist to enumerate domain computers, including the domain controller.245108
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Wizard Spider has used scheduled tasks establish persistence for TrickBot and other malware.4157
enterprise T1489 Service Stop Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption.8
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Wizard Spider has used WMI to identify anti-virus products installed on a victim’s machine.8
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting Wizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.8517
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Wizard Spider has used Digicert code-signing certificates for some of its malware.7
enterprise T1082 System Information Discovery Wizard Spider has used “systeminfo” and similar commands to acquire detailed configuration information of a victim machine.8
enterprise T1016 System Network Configuration Discovery Wizard Spider has used “ipconfig” to identify the network configuration of a victim machine.11
enterprise T1033 System Owner/User Discovery Wizard Spider has used “whoami” to identify the local user and their privileges.11
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim network.89
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.1
enterprise T1204.002 Malicious File Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar.46
enterprise T1078 Valid Accounts Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers.4
enterprise T1078.002 Domain Accounts Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.5
enterprise T1047 Windows Management Instrumentation Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally.41510

Software

ID Name References Techniques
S0552 AdFind 28710 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S0534 Bazar 6 Local Account:Account Discovery Domain Account:Account Discovery Web Protocols:Application Layer Protocol BITS Jobs Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Winlogon Helper DLL:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Domain Trust Discovery Domain Generation Algorithms:Dynamic Resolution Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Fallback Channels File and Directory Discovery Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Clear Persistence:Indicator Removal Ingress Tool Transfer Double File Extension:Masquerading Match Legitimate Name or Location:Masquerading Masquerade Task or Service:Masquerading Multi-Stage Channels Native API Network Share Discovery Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Spearphishing Link:Phishing Process Discovery Process Doppelgänging:Process Injection Process Hollowing:Process Injection Process Injection Query Registry Remote System Discovery Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery Software Discovery Code Signing:Subvert Trust Controls System Information Discovery System Language Discovery:System Location Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery Malicious Link:User Execution Time Based Evasion:Virtualization/Sandbox Evasion Virtualization/Sandbox Evasion Web Service Windows Management Instrumentation
S0521 BloodHound 1511 Local Account:Account Discovery Domain Account:Account Discovery Archive Collected Data PowerShell:Command and Scripting Interpreter Domain Trust Discovery Group Policy Discovery Native API Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Owner/User Discovery
S0154 Cobalt Strike 51879116 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0575 Conti 6 Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact Deobfuscate/Decode Files or Information File and Directory Discovery Inhibit System Recovery Native API Network Share Discovery Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection SMB/Windows Admin Shares:Remote Services Remote System Discovery Service Stop System Network Configuration Discovery System Network Connections Discovery Taint Shared Content
S0024 Dyre 121314 Web Protocols:Application Layer Protocol Windows Service:Create or Modify System Process Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel Ingress Tool Transfer Software Packing:Obfuscated Files or Information Process Injection Dynamic-link Library Injection:Process Injection Scheduled Task:Scheduled Task/Job Software Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Service Discovery System Checks:Virtualization/Sandbox Evasion
S0367 Emotet 411 Email Account:Account Discovery Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Password Guessing:Brute Force PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Exploitation of Remote Services Network Sniffing Non-Standard Port Software Packing:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Spearphishing Attachment:Phishing Spearphishing Link:Phishing Process Discovery Dynamic-link Library Injection:Process Injection SMB/Windows Admin Shares:Remote Services Scheduled Task:Scheduled Task/Job Credentials In Files:Unsecured Credentials Malicious Link:User Execution Malicious File:User Execution Local Accounts:Valid Accounts Windows Management Instrumentation
S0363 Empire 415 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0632 GrimAgent 15 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Junk Data:Data Obfuscation Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Clear Persistence:Indicator Removal Ingress Tool Transfer Native API Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Scheduled Task:Scheduled Task/Job System Information Discovery System Location Discovery System Language Discovery:System Location Discovery System Network Configuration Discovery System Owner/User Discovery Time Based Evasion:Virtualization/Sandbox Evasion
S0002 Mimikatz 51 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0039 Net 310587911 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0359 Nltest 58791110 Domain Trust Discovery Remote System Discovery System Network Configuration Discovery
S0097 Ping 819 Remote System Discovery
S0029 PsExec 45 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0446 Ryuk 31015879116 Access Token Manipulation Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact File and Directory Discovery Windows File and Directory Permissions Modification:File and Directory Permissions Modification Disable or Modify Tools:Impair Defenses Inhibit System Recovery Loss of Productivity and Revenue Match Legitimate Name or Location:Masquerading Masquerading Native API Obfuscated Files or Information Process Discovery Process Injection SMB/Windows Admin Shares:Remote Services Scheduled Task:Scheduled Task/Job Service Stop System Information Discovery System Language Discovery:System Location Discovery System Network Configuration Discovery Traffic Signaling Domain Accounts:Valid Accounts
S0266 TrickBot 41116 Local Account:Account Discovery Email Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Credential Stuffing:Brute Force Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Password Managers:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Domain Trust Discovery Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Exploitation of Remote Services Fallback Channels File and Directory Discovery Firmware Corruption Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Credential API Hooking:Input Capture Component Object Model:Inter-Process Communication Masquerading Modify Registry Native API Network Share Discovery Non-Standard Port Obfuscated Files or Information Software Packing:Obfuscated Files or Information Permission Groups Discovery Spearphishing Attachment:Phishing Spearphishing Link:Phishing Bootkit:Pre-OS Boot Process Discovery Process Hollowing:Process Injection Process Injection External Proxy:Proxy Remote Access Software VNC:Remote Services Remote System Discovery Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Service Discovery Credentials In Files:Unsecured Credentials Credentials in Registry:Unsecured Credentials Malicious File:User Execution Time Based Evasion:Virtualization/Sandbox Evasion

References

  1. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  2. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. 

  3. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. 

  4. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. 

  5. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  6. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. 

  7. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. 

  8. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. 

  9. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020. 

  10. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. 

  11. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020. 

  12. Brewster, T. (2017, May 4). https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a. Retrieved June 15, 2020. 

  13. Feeley, B. and Stone-Gross, B. (2019, March 20). New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration. Retrieved June 15, 2020. 

  14. Umawing, J. (2019, September 3). TrickBot adds new trick to its arsenal: tampering with trusted texts. Retrieved June 15, 2020. 

  15. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.