Financial-motivated cybercrime group FIN11, has started deploying tactics using ransomware as the main monetisation method.
Financial-motivated cybercrime group FIN11, has started deploying tactics using ransomware as the main monetisation method.
Initially, the group started by focusing attacks on banks, restaurants and retailers but has grown to indiscriminately target a wide range of categories in different locations around the world, sending thousands of phishing emails out and simultaneously conducting attacks against several organisations at any one time.
FireEye’s Mandiant researchers discovered FIN11 hackers using spear-phishing messages distributing a malware downloader dubbed FRIENDSPEAK.
“Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands.” reads the analysis published by FireEye.
“The group’s shifting monetisation methods—from point-of-sale (POS) malware in 2018 to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion.”
The attacks start when the victims enable the macro embedded in an Excel spreadsheet that came with the phishing emails.
The macros download and execute the FRIENDSPEAK code, which in turn downloads the MIXLABEL malware.
The macros used in Office documents used as bait is modified and has also added geofencing techniques.
FIN11 includes a subset of TA505 cybercrime gang, which has been active since 2014 focusing on retail and banking sectors.
“Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum,” reads the analysis.
The group has used services that deliver anonymous domain registration, code signing certificates, bulletproof hosting, and private or semi-private malware.
Mandiant researchers speculate FIN11 will continue to target organisations with sensitive proprietary data and that will likely pay the ransom to recover their operations after the attacks.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?