Home  >  Enterprise Wizard Spider and Sandworm Overview


Wizard Spider and Sandworm

Enterprise Evaluation 2021
  • Call For Participation
  • Evaluating
  • Preparing
  • Published
ATT&CK Description

Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals. [1] [2]

Sandworm Team is a destructive Russian threat group that has been attributed to Russian GRU Unit 74455 by the U.S. Department of Justice and U.K. National Cyber Security Centre. Sandworm Team's most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical companies and 2017's NotPetya attacks. Sandworm Team has been active since at least 2009. [1] [2] [3] [4]

Emulation Notes

This round will focus on how multiple groups abuse Data Encrypted For Impact (T1486). In Wizard Spider’s case, they have leveraged data encryption for ransomware, including the widely known Ryuk malware (S0446). Sandworm, on the other hand, leveraged encryption for the destruction of data, perhaps most notably with their NotPetya malware (S0368) that disguised itself as ransomware. While the common thread to this year’s evaluations is Data Encrypted for Impact, both groups have substantial reporting on a broad range of post-exploitation tradecraft.

Technique Scope

For the Wizard Spider and Sandworm evaluation, the highlighted ATT&CK techniques are in scope for this evaluation. Linux techniques are included in the scope of this evaluation, though will only represent a small portion of the evaluation. The Linux portion of the evaluation is optional for participants. This will also mark the first time the impact tactic is in scope for the evaluation.

You can view the in-scope Techniques for the Wizard Spider and Sandworm evaluation in the ATT&CK Navigator by checking out the layer file we made available here. A preview is shown below! The Techniques in scope attributed specifically to Wizard Spider are highlighted in purple, attributed specifically to Sandworm in blue, and both Wizard Spider and Sandworm in grey.

Learn More: Technique Scope


Figure 1: Wizard Spider and Sandworm Evaluation Environment

Environment configuration is subject to change. Any changes will be reflected on this page. Full environment configuration details will be available upon the release of results. (Updated June 14, 2021 to add CentOS kernel build version)

The evaluations will be performed in the Microsoft Azure Cloud. There will be two organizations with separate networks and domains, with Windows Defender disabled for certain portions of the evaluations. The networks will contain domain joined machines running Windows Server 2019, Windows 10 Pro, and CentOS 7.9. The versions are as follows:

  • Windows Server 2019
    • Publisher: MicrosoftWindowsServer
    • Version: 1809
    • SKU: 2019-Datacenter
  • Windows 10 Pro
    • Publisher: MicrosoftWindowsDesktop
    • Version: 20h2
    • SKU: 20h2-pro
  • CentOS 7.9
    • Publisher: Open Logic
    • SKU: 7_9
    • Kernel: 3.10.0-1160.15.2.el7.x86_6

Learn More: Environment Page

Detection Categories

Vendors use their own terminology and approaches to detect and protect potential adversary behavior. They provide this information to us in their unique way, and then it is our responsibility to abstract the data using categories to talk about the products in similar ways.

These categories are divided into two types: “Main” and “Modifier.” Each detection or protection receives one main category designation, which relates to the amount of context provided to the user, and may optionally receive one or more modifier category designations that help describe the event in more detail. For the Wizard Spider and evaluation, there are six main detection categories representing the amount of context provided to the analyst, and three main protection categories.

You can learn more about our process for processing detections here.

Learn More: Detection Categories Page