WIZARD SPIDER: The Financial Empire Behind Global Ransomware Operations

WIZARD SPIDER is a highly organized, financially motivated criminal consortium (aka FIN12/Gold Blackburn/DEV-0193) active since at least 2016 that conducts large-scale ransomware and double-extortion campaigns worldwide. The report outlines their affiliate/RaaS model, TTPs—including phishing, loaders (TrickBot, BazarLoader), Cobalt Strike, and ransomware families (Ryuk, Conti, Black Basta)—recent campaign history through 2025 targeting healthcare, logistics, and manufacturing, observed impacts, and prioritized mitigations such as MFA, EDR/XDR, segmentation, and incident response preparedness.