GuardYoo Threat Research Team - WIZARD SPIDER and CONTI Ransomware

Regarding this latest series of ransomware attacks against the Irish Health Service Executive (HSE). We asked the guys in the GuardYoo Threat Research lab for an overview of what they know and they provided the following detail. 

WIZARD SPIDER is reportedly associated with GRIM SPIDER and LUNAR SPIDER.

The WIZARD SPIDER threat group is the Russian-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset.

The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.

GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organisations for a high-ransom return.

This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russian-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.

Their main aim, as we understand it, is to target and infiltrate the infrastructure of large organisations and, having gained entry, and successfully navigating their way around the network, will identify critical data sets and encrypt them with a view to extorting a ransom.

While exploring the infrastructure, they will steal and encrypt critical data using a tool called CONTI.

CONTI ransomware was first detected in July 2020 and it was noted at the time as containing some unique features, notably, faster encryption than most other types of ransomware. CONTI ransomware is recognised as the new version of the better-known Ryuk ransomware.


According to media reports in Ireland, criminals have stolen 700+ Gigabytes of data from the HSE (Health Service Executive).

This suggests that adversaries were inside the HSE infrastructure for some time, learning about the infrastructure and which data was valuable. Only when proper reconnaissance was complete did they execute their malware to cripple the entire HSE network.

We believe that each step of the attack on the HSE infrastructure involved a standard approach using recognised tools and techniques such as Teamviewer, PSEXEC, the capture of Domain Admin Accounts, hidden backdoor, and more.

According to an Irish Times report on Wednesday, May 19th, a medical organisation from outside the Irish State had contacted an Irish HSE patient, (whose details were released on the “dark web”) offering to provide a medical procedure the patient required.

The Irish Times reports that the patient was "contacted by a medical organisation from outside the Irish State who had all their medical details including the procedure they needed and their full medical history”.

The international medical organisation knew exactly what procedure the patient required and offered to deliver it within a short period of time as they knew the patient was on a long public waiting list in Ireland.

Regular Compromise Assessment will help to identify if intruders are within your network and are avoiding detection by other cybersecurity applications.

If you are interested in learning more about how GuardYoo can help you better understand the hidden vulnerabilities within your network, please contact us at and we can discuss your concerns further.