FIN11 Cybercrime Gang Shifts Tactics to Double-Extortion Ransomware

The FIN11 financial crime gang is shifting its tactics from phishing and credential-theft to ransomware, researchers said.

According to FireEye Mandiant researchers, FIN11 is notable for its “sheer volume of activity,” known to run up to five disparate wide-scale email phishing campaigns per week. “At this point, it would be difficult to name a client that FIN11 hasn’t targeted,” Mandiant researchers noted, in a posting on Tuesday.

But lately, it has used the Clop ransomware to up its monetary gains.

Click to Register!

Researchers have recently observed attacks in which FIN11 threatened to publish exfiltrated data to pressure victims into paying ransom demands, in a tactic known as double extortion. Clop (which emerged in February 2019) is often used in these kinds of attacks, putting it in the company of the Maze, DoppelPaymer and Sodinokibi ransomware families.

Clop recently made headlines as the malware behind double-extortion attacks on Germany’s Software AG (which carried a $23 million ransom) and a biopharmaceutical firm called ExecuPharm.

FIN11 has been around for at least four years, conducting widespread phishing campaigns. However, it continues to evolve – it’s use of Clop and double extortion is only the latest change in its tactics and tools. It added point-of-sale (POS) malware to its arsenal in 2018, according to Mandiant; and started conducting run-of-the-mill ransomware attacks in 2019.

It’s changed its victimology, too, researchers said: “From 2017 through 2018, the threat group primarily targeted organizations in the financial, retail, and hospitality sectors. However, in 2019 FIN11’s targeting expanded to include a diverse set of sectors and geographic regions.”

Mandiant’s analysis noted that the changes may have been implemented to supplement the ongoing phishing efforts because the latter aren’t wildly successful.

“We’ve only observed the group successfully monetize access in few instances,” researchers said. “This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture.”

Also, FIN11 is a subset of the larger TA505 group (a.k.a. Hive0065), which is a financially motivated cybercrime group that has been actively targeting various industries, including finance, retail and restaurants, since at least 2014. It’s known for using a wide range of tactics (in March, IBM X-Force observed TA505 using COVID-19 themed phishing emails) — plus ongoing malware authoring and development.

Its wares include fully-fledged backdoors and RATs – including the recently spotted SDBbot code. And in January, a new backdoor named ServHelper was spotted in the wild, acting as both a remote desktop agent as well as a downloader for a RAT called FlawedGrace.

These campaigns deliver a variety of payloads, including the Dridex and TrickBot trojans, and, yes, ransomware. The latter includes Clop, but also Locky and MINEBRIDGE.

All of this could also explain FIN11’s adoption of new malware.

“Like most financially motivated actors, FIN11 doesn’t operate in a vacuum,” Mandiant researchers concluded. “We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.”

Brandon Hoffman, CISO at Netenrich, told Threatpost that this use of service providers in the underground iis common. “There is a whole marketplace of providers that cater to and operate in what some refer to as the dark web. These services are not limited to the ones described as in use by FIN11 but include code-writing services, monetary exchanges and more,” he said.

Hoffman also pointed out that this evolution to ransomware and extortion has become common for cybercriminals everywhere.

“Broad-based phishing campaigns with the hope of hooking ransomware into an organization for the purpose of extortion, while leveraging malicious service providers, is at the basic footprint of cybercrime today,” he said. “What makes this group special or different remains to be seen for those of us on the outside.”

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.