Skip Navigation
BlackBerry Blog

BlackBerry Again Demonstrates 100% Prevention Against Wizard Spider and Sandworm Threat Groups Emulated in MITRE ATT&CK Evaluations

CYBERSECURITY / 04.01.22 / Gary Davis

Emulating Real-World Cyberattacks Helps Organizations Evaluate Security Solutions

One of the best methods for effectively evaluating security products is emulation of real-world cyberattacks. Using adversarial tactics and techniques against various cybersecurity solutions, independent resources such as the MITRE ATT&CK® framework have emerged as trusted sources of information on product performance. BlackBerry recently submitted its Cylance® cybersecurity portfolio for participation in the MITRE Engenuity cybersecurity evaluations. This round of independent ATT&CK evaluations for enterprise cybersecurity solutions emulated the Wizard Spider and Sandworm threat groups, highlighting results across 30 vendors.

Highlights of BlackBerry Results

  • BlackBerry’s suite of Cylance cybersecurity solutions was 100% successful in preventing both the Wizard Spider and Sandworm attack emulations very early in each scenario – before any damage occurred. 

  • BlackBerry’s CylancePROTECT® and CylanceOPTICS® solutions provided comprehensive detections on individual attack techniques with high confidence, helping to reduce wasted resources spent chasing false positives.

  • BlackBerry’s CylanceGATEWAY™ solution added network telemetry that provided additional context and visibility during the evaluation.

“We are incredibly pleased with the results of this evaluation,” said Billy Ho, Executive Vice President, BlackBerry Cybersecurity Business Unit. “It’s further affirmation that our advanced, next-generation Cylance AI/ML models can provide 100% protection against the most advanced threats. We can stop the adversary in their tracks before they even get in the door, ensuring best-in-class protection and peace of mind for your organization.”

The efficacy of BlackBerry’s Cylance cybersecurity portfolio has been extensively tested with excellent results, verified by highly respected third-party experts such as MITRE and SE Labs. BlackBerry participated in MITRE ATT&CK evaluations for the past four years. These most recent MITRE results further validate testing from January 2022 with SE Labs where CylancePROTECT and CylanceOPTICS earned a AAA rating for excellent performance, scoring 100% in “Protection Accuracy” against Wizard Spider and Sandworm.

MITRE Engenuity’s acting General Manager of ATT&CK Evaluations, Ashwin Radhakrishnan, spoke about the latest test round and how it indicates significant growth from the participating vendors. “We are seeing greater emphasis in threat-informed defense capabilities, which in turn has developed the infosec community’s emphasis on prioritizing the ATT&CK framework.”

MITRE ATT&CK Evaluations prioritize threats that offer unique impact to businesses and governments worldwide, emulating the attacks through the lens of the ATT&CK knowledge base. The first of the two threat actors that this test focused on, Wizard Spider, is a financially motivated criminal group that has been conducting ransomware campaigns since August 2018. Targets have included a range of industries and organizations, from major corporations to hospitals. The other threat actor featured in the test, Sandworm, is a destructive Russia-based threat group known for carrying out notable attacks such as the 2015 and 2016 targeting of Ukrainian electrical companies and 2017's NotPetya attacks. The threat actors were chosen based on their complexity, relevance to the market, and how well MITRE Engenuity staff can accurately emulate the adversary.

In this test, the ATT&CK Evaluations team specifically chose to emulate two threat groups that abuse the Data Encrypted for Impact (T1486) technique. In Wizard Spider’s case, the actor leveraged data encryption for ransomware, including the widely known Ryuk malware (S0446). Sandworm, on the other hand, leveraged encryption for the destruction of data, perhaps most notably with its NotPetya malware (S0368), which disguised itself as ransomware.

Third-party testing is essential to help vendors and end-users better understand product capabilities and enable them to stop tomorrow’s threats, today. With their attack surface rapidly changing and becoming increasingly complex, organizations must prepare to mitigate various threats from sophisticated threat actors. BlackBerry is committed to mapping our defenses to the MITRE ATT&CK framework, providing customers with increased confidence and visibility for discovering gaps in processes and defense tools, and enhancing their overall network defense and protection.

For full results and more information about the MITRE Engenuity ATT&CK evaluations, please visit here.  

For more information on how BlackBerry can help your organization prepare for, detect, respond to, and prevent cyber threats visit

Gary Davis

About Gary Davis

Gary Davis is Chief Cybersecurity Advocate at BlackBerry.