Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:30 PM

Prolific Cybercrime Group Now Focused on Ransomware

Cybercriminal team previously associated with point-of-sale malware and data theft has now moved almost completely into the more lucrative crimes of ransomware and extortion.

An assortment of ransomware campaigns since 2019 are actually the work of a single group, which has evolved from conducting point-of-sale attacks using malware to infiltrating networks and infecting systems with ransomware, researchers say.

In an analysis of a cluster of malicious activity, FireEye's Mandiant linked the attacks to a single cybercrime group, which the company dubbed FIN11. The group uses attack tools and malware that appear to be unique to its operators, who are also known for their use of high-volume e-mail campaigns to initially infect a user at a targeted company and establish a beachhead. While their activity has significant ramped up through most of 2019 and 2020, their operations appear to stretch back to 2016.

Related Content:

Security Firms & Financial Group Team Up to Take Down Trickbot

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What's Really Happening in Infosec Hiring Now?

Overall, the group does not display sophisticated tactics, techniques and procedures (TTPs), but they are aggressive in their attempts to gain a foothold in companies, says Kimberly Goody, senior manager of the Mandiant threat intelligence financial crime team at FireEye.

"The main thing that sets this group apart from our perspective is how widespread their campaigns are," she says. "They are sophisticated, but they have a wide reach. And their constant evolution of their TTPs—even though minor—can prevent organizations from being able to adequately defend against their spam campaigns."

The group also highlights a trend observed by FireEye. Since early 2019, financial cybercrime groups once focused on stealing payment-card data are now shifting to compromising corporate networks, infecting a significant number of systems with ransomware, and then extorting the business for large sums, Goody says.

"Point of sale intrusions were very profitable, and we saw actors such as FIN6 and FIN7—all the way back to FIN5—they were targeting payment card data," Goody says. "But ransomware, in terms of actors deploying it post compromise and widely distributing it in one victim's environment, is far more profitable."

FireEye concluded in its analysis that the group likely operates from the Commonwealth of Independent States (CIS), which broke off from the former Soviet Union. The company, however, has not linked their operations to any cyber espionage campaigns. Yet, cybercriminal groups operating in the CIS are likely known to Russian intelligence, and considering that such groups are usually worried enough about Russian law enforcement to avoid infecting systems within Russia, they could be conscripted into such activity, Goody says.

"Right now, we have only seen financially motivated attacks from this group," she says. "But I find it improbable that Russia intelligence is unaware of this operation, and there has been cases of Russian cybercriminal groups—such as Zeus—that have specifically taken actions that appeared to be in line with espionage operations ... so if asked, they would likely have to conduct whatever activity was asked of them."


Earlier this month, Microsoft and a group of security firms worked together to take down the command-and-control channels for the Trickbot botnet, whose operators used the software's modular capabilities to sell access to compromised systems and conduct ransomware attacks for financial gain. Yet, Microsoft—along with the US Cyber Command, reportedly—targeted Trickbot because of concerns that the group behind the malware would use its extensive reach to impact the US elections.

The impact of the takedown is not clear. While some reports have indicated the botnet had suffered disruptions prior to the takedown, ostensibly due to US Cyber Command activities, security firm Proofpoint stated that its researchers had not seen any notable changes in activity.

"The most recent Trickbot campaigns are already using new command and control channels, which shows the threat actors are actively adapting their campaigns," Sherrod DeGrippo, senior director of threat research at Proofpoint, said in a statement to Dark Reading. "[W]e believe it's unlikely we'll see any immediate significant changes in Trickbot delivery volumes as the majority of Trickbot infections appear to come from third party malicious senders at this time."

While FIN11 has its own unique toolsets, the group heavily leverages cybercrime services such as bulletproof hosting providers, private and semi-private malware infrastructure, and the purchase of stolen code-signing certificates, FireEye said in its analysis. 

The largest risk the group poses, however, is its ubiquity, according to FireEye.

"The broad visibility Mandiant experts have into post-compromise activity that has historically followed FIN11's malicious email campaigns suggests that they obtain access to the networks of far more organizations than they are able to successfully monetize," the company stated. "Their high cadence of operations may be an attempt to cast a wide net rather than a reflection of the group's ability to monetize many victims simultaneously."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...