Prolific Cybercrime Group Now Focused on Ransomware

Cybercriminal team previously associated with point-of-sale malware and data theft has now moved almost completely into the more lucrative crimes of ransomware and extortion.

4 Min Read

An assortment of ransomware campaigns since 2019 are actually the work of a single group, which has evolved from conducting point-of-sale attacks using malware to infiltrating networks and infecting systems with ransomware, researchers say.

In an analysis of a cluster of malicious activity, FireEye's Mandiant linked the attacks to a single cybercrime group, which the company dubbed FIN11. The group uses attack tools and malware that appear to be unique to its operators, who are also known for their use of high-volume e-mail campaigns to initially infect a user at a targeted company and establish a beachhead. While their activity has significant ramped up through most of 2019 and 2020, their operations appear to stretch back to 2016.

Overall, the group does not display sophisticated tactics, techniques and procedures (TTPs), but they are aggressive in their attempts to gain a foothold in companies, says Kimberly Goody, senior manager of the Mandiant threat intelligence financial crime team at FireEye.

"The main thing that sets this group apart from our perspective is how widespread their campaigns are," she says. "They are sophisticated, but they have a wide reach. And their constant evolution of their TTPs—even though minor—can prevent organizations from being able to adequately defend against their spam campaigns."

The group also highlights a trend observed by FireEye. Since early 2019, financial cybercrime groups once focused on stealing payment-card data are now shifting to compromising corporate networks, infecting a significant number of systems with ransomware, and then extorting the business for large sums, Goody says.

"Point of sale intrusions were very profitable, and we saw actors such as FIN6 and FIN7—all the way back to FIN5—they were targeting payment card data," Goody says. "But ransomware, in terms of actors deploying it post compromise and widely distributing it in one victim's environment, is far more profitable."

FireEye concluded in its analysis that the group likely operates from the Commonwealth of Independent States (CIS), which broke off from the former Soviet Union. The company, however, has not linked their operations to any cyber espionage campaigns. Yet, cybercriminal groups operating in the CIS are likely known to Russian intelligence, and considering that such groups are usually worried enough about Russian law enforcement to avoid infecting systems within Russia, they could be conscripted into such activity, Goody says.

"Right now, we have only seen financially motivated attacks from this group," she says. "But I find it improbable that Russia intelligence is unaware of this operation, and there has been cases of Russian cybercriminal groups—such as Zeus—that have specifically taken actions that appeared to be in line with espionage operations ... so if asked, they would likely have to conduct whatever activity was asked of them."


Earlier this month, Microsoft and a group of security firms worked together to take down the command-and-control channels for the Trickbot botnet, whose operators used the software's modular capabilities to sell access to compromised systems and conduct ransomware attacks for financial gain. Yet, Microsoft—along with the US Cyber Command, reportedly—targeted Trickbot because of concerns that the group behind the malware would use its extensive reach to impact the US elections.

The impact of the takedown is not clear. While some reports have indicated the botnet had suffered disruptions prior to the takedown, ostensibly due to US Cyber Command activities, security firm Proofpoint stated that its researchers had not seen any notable changes in activity.

"The most recent Trickbot campaigns are already using new command and control channels, which shows the threat actors are actively adapting their campaigns," Sherrod DeGrippo, senior director of threat research at Proofpoint, said in a statement to Dark Reading. "[W]e believe it's unlikely we'll see any immediate significant changes in Trickbot delivery volumes as the majority of Trickbot infections appear to come from third party malicious senders at this time."

While FIN11 has its own unique toolsets, the group heavily leverages cybercrime services such as bulletproof hosting providers, private and semi-private malware infrastructure, and the purchase of stolen code-signing certificates, FireEye said in its analysis. 

The largest risk the group poses, however, is its ubiquity, according to FireEye.

"The broad visibility Mandiant experts have into post-compromise activity that has historically followed FIN11's malicious email campaigns suggests that they obtain access to the networks of far more organizations than they are able to successfully monetize," the company stated. "Their high cadence of operations may be an attempt to cast a wide net rather than a reflection of the group's ability to monetize many victims simultaneously."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights