WizardSpider

Wizard Spider is a criminal threat actor associated in the provided content with use of Conti ransomware. The content links the group to the 2021 ransomware attack on Ireland's Health Service Executive (HSE), which caused months of disruption and millions in damage. According to the cited PWC report, the intrusion began on 16 March 2021 when a user opened a malicious Microsoft Excel attachment delivered via phishing email. PWC attributed the intrusion to Wizard Spider, stated the attackers likely exploited an unpatched known vulnerability to gain access to HSE's Active Directory domain, and reported that the group maintained access for roughly two months before deploying the final Conti v3 payload on 14 May 2021. The content also states that HSE personnel had observed Wizard Spider activity before detonation and that antivirus detections included Cobalt Strike and Mimikatz. During the intrusion, the group reportedly compromised systems in multiple hospitals. The content further describes leaked internal chats from the Russia-affiliated Conti ransomware gang and notes that Wizard Spider used Conti ransomware in the HSE attack. Separately, Sophos reported a case involving a Canadian healthcare organization where Conti and the Karma ransomware gang both gained access via the ProxyShell exploit; in that incident, Conti encrypted much of the organization's data and dropped a batch script to disable Windows Defender before deploying its ransomware payload. Alias directly provided in the content: wizardspider.