This major criminal hacking group just switched to ransomware attacks

mood · Oct 14, 2020

This major criminal hacking group just switched to ransomware attacks
...they've switched to ransomware because it's the biggest and easiest pay day
October 14, 2020
https://www.zdnet.com/article/this-major-criminal-hacking-group-just-switched-to-ransomware-attacks/

A widespread hacking operation that has been targeting organisations around the world in a phishing and malware campaign which has been active since 2016 has now switched to ransomware attacks, reflecting how successful ransomware has become a money-making tool for cyber criminals.

Dubbed FIN11, the campaign has been detailed by cybersecurity researchers at FireEye Mandiant, who describe the hackers as a 'well-established financial crime group' which has conducted some of the longest running hacking campaigns.
Click to expand...

The group started by focusing attacks on banks, retailers and restaurants but has grown to indiscriminately target a wide range of sectors in different locations around the world, sending thousands of phishing emails out and simultaneously conducting attacks against several organisations at any one time.

But now FIN11 is using its extensive network as means of delivering ransomware to compromised networks, with the attackers favouring Clop ransomware and demanding bitcoin to restore the network.
Put simply, this shift in tactics is all about making as much money as possible – and ransomware has become a quick and easy way for cyber criminals to make money from a wider variety of targets.

"FIN11 has likely shifted their primary monetization method to ransomware deployment because it is more profitable than traditional methods such as deploying POS malware," Genevieve Stark, analyst at Mandiant Threat Intelligence told ZDNet.
Click to expand...

FireEye: FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft

Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN (or financially motivated) threat group for the first time since 2017. We have detailed FIN11's various tactics, techniques and procedures in a report that is available now by signing up for Mandiant Advantage Free.

In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity. There are significant gaps in FIN11’s phishing operations, but when active, the group conducts up to five high-volume campaigns a week.
Click to expand...

mood · Oct 15, 2020

FIN11 Spun Out From TA505 Umbrella as Distinct Attack Group
October 14, 2020
https://www.securityweek.com/fin11-spun-out-ta505-umbrella-distinct-attack-group

FIN11 is a new designation for a financially motivated threat actor that may previously have been obscured within the activity set and group usually referred to as TA505. Although there are similarities and overlaps in the TTPs of both groups, researchers have discovered enough differences to separate the groups.

TA505 is largely defined by its large-scale phishing campaigns. It has distributed Dridex and dropped multiple types of ransomware, including GlobeImposter and Philadelphia.
The group now defined by Mandiant (FireEye) Threat Intelligence researchers as FIN11 similarly uses large-scale phishing campaigns, but is primarily defined by its unique use of the CLOP ransomware. The researchers also believe that the code families known as FlawedAmmyy, FRIENDSPEAK and MIXLABEL are unique to FIN11.
Click to expand...

It isn't known how many organizations have fallen victim to FIN11 because of the apparently growing tendency for victims to simply pay for a decryption key. This can be assumed because of the rapidly increasing ransomware demands.
The CLOP group engages in what is sometimes referred to as 'double extortion'.

The CL0P^_- LEAKS website suggests that there have been FIN11 victims in North America, India and Europe. The majority are located in Europe, and about half of those in Germany. "FIN11," say the researchers, has used German-language lures in many of their 2020 campaigns, suggesting that they have actively targeted German organizations."
Click to expand...

mood · Jan 15, 2021

FIN11 e-crime group shifted to CL0P ransomware and big game hunting
January 15, 2021
https://www.scmagazine.com/home/sec...fted-to-cl0p-ransomware-and-big-game-hunting/

The financially motivated FIN11, which increasingly incorporated CL0P ransomware into their operations in 2020, appeared to rely on low-effort volume techniques like spamming malware for initial entry, but put a substantial amount of effort into each follow-up compromise.

“Several of their recent ransom notes explicitly name data stolen from workstations that belong to top executives (including founders/CEOs) of the respective enterprises,” Senior Cybersecurity Analyst Thomas Barabosch wrote in a blog post detailing new research from Deutsche Telekom. “This is likely based on the hope that using data stolen from top executives in the extortion process raises their chances that the victim pays.”
The research sheds new light on how cybercriminals from the threat group, described as a relentless, big game ransomware hunter that rarely goes more than a day or two between attacks, used the popular CL0P ransomware in their exploitations.
Click to expand...

Telekom’s research contains indicators of compromise for FIN11’s most recent spam-phishing activities through December 2020.
Click to expand...

Log in or Sign up

This major criminal hacking group just switched to ransomware attacks

mood Updates Team

mood Updates Team

mood Updates Team

Log in or Sign up

This major criminal hacking group just switched to ransomware attacks

mood Updates Team

mood Updates Team

mood Updates Team

Useful Searches