This major criminal hacking group just switched to ransomware attacks

A newly detailed financial cybercrime group has been conducting attacks around the world since 2016 - but now they've switched to ransomware because it's the biggest and easiest pay day.
Written by Danny Palmer, Senior Writer

A widespread hacking operation that has been targeting organisations around the world in a phishing and malware campaign that has been active since 2016 has now switched to ransomware attacks, reflecting how successful ransomware has become as a money-making tool for cyber criminals.

Dubbed FIN11, the campaign has been detailed by cybersecurity researchers at FireEye Mandiant, who describe the hackers as a 'well-established financial crime group' which has conducted some of the longest running hacking campaigns.

The group started by focusing attacks on banks, retailers and restaurants but has grown to indiscriminately target a wide range of sectors in different locations around the world, sending thousands of phishing emails out and simultaneously conducting attacks against several organisations at any one time.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

For example, in just one week, Mandiant observed concurrent campaigns targeting pharmaceuticals, shipping and logistics industries in both North America and Europe.

But despite attacks targeting a wide variety of organisations around the world, many of the initial phishing campaigns are still customised on a target by target basis for the maximum possible chance of encouraging a victim to download a malicious Microsoft Office attachment that says macros must be enabled.

This starts an infection chain that creates multiple backdoors into compromised systems, as well as the ability to grab admin credentials and move laterally across networks.

FIN11 campaigns initially revolved around embedding themselves into networks in order to steal data, with researchers noting that the hacking group commonly deployed BlueSteal, a tool used to steal banking information from Point-of-Sale (POS) terminals.

With finances being the focus of the group, it's likely FIN11 sold this information to other cyber criminals on the dark web, or simply exploited the details for their own gain.

But now FIN11 is using its extensive network as a means of delivering ransomware to compromised networks, with the attackers favouring Clop ransomware and demanding bitcoin to restore the network.

Put simply, this shift in tactics is all about making as much money as possible – and ransomware has become a quick and easy way for cyber criminals to make money from a wider variety of targets.

"FIN11 has likely shifted their primary monetization method to ransomware deployment because it is more profitable than traditional methods such as deploying POS malware," Genevieve Stark, analyst at Mandiant Threat Intelligence, told ZDNet.

"Ransomware also increases the potential victim pool since it can be deployed at nearly any organization, while POS malware is only effective against certain targets," she added.

In an effort to blackmail victims into paying the ransom, some ransomware gangs have taken to using their access to networks to steal sensitive or personal data and threaten to leak it if they don't receive payment for the decryption key – and FIN11 have adopted this tactic, publishing data from victims who don't pay.

"FIN11's adoption of data-theft and extortion to increase leverage on victims is further evidence that their motivations are exclusively financial," said Stark.

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened

Based on analysis of Russian language in FIN11's files, researchers say that this purely financially motivated operation is likely operating out of one of the Commonwealth of Independent States – and it's highly likely the ransomware attacks will continue.

"We anticipate that FIN11 will continue to conduct widespread phishing campaigns with consistently evolving delivery tactics for the foreseeable future," said Stark.

"FIN11 will probably continue conducting ransomware and data-theft extortion for the immediate future, given many organizations acquiesce to extortion demands," she added.

The attacks have been prolific and successful, but organisations can avoid falling victim to campaigns by FIN11 and other financially motivated groups by following common security advice and applying patches to prevent attackers using known exploits to gain a foothold in networks.

And with FIN11 and other hackers exploiting Microsoft Office macros to conceal malicious payloads, it's recommended that macros are disabled to stop them being used as a starting point for attacks.


Editorial standards