FIN11 hack group is now engaged in ransomware attacks and is distributing the Clop ransomware

FIN11 engaged in ransomware attacks
Written by Emma Davis

Experts from Mandiant (FireEye) have published a recent report that the FIN11 group, which has existed since 2016, usually pursuing financial gain in its attacks, is now engaged in ransomware attacks and infects company networks with the Clop ransomware.

The early FIN11 campaigns focused primarily on organizations in the financial, retail and restaurant sectors, but in recent years hackers have been less selective in targeting. Attackers now target a wide variety of companies in North America and Europe.

For example, since August 2020, criminals have compromised companies in defense, energy, finance, healthcare and pharmaceuticals, law, telecommunications, technology and transportation.

FIN11 engaged in ransomware attacks

FIN11 attacks usually start with phishing emails, through which the FRIENDSPEAK malware downloader is distributed. Attackers’ emails contain a variety of decoys, including money transfer documents, invoices, or fake confidential bonus information.

In reality, such messages are bundled with malicious HTML attachments to download content (iframes or embedded tags) from compromised sites, which are often filled with outdated content and look abandoned. However, before downloading Excel with a malicious macro, the victim will be asked to solve the CAPTCHA.

The aforementioned FRIENDSPEAK, in turn, will download another malware to the user’s machine – MIXLABEL, which is also considered to be specific to FIN11. This malware is used to communicate with the domain of the command and control server, which is often disguised as the Microsoft Store (us-microsoft-store[.]ัom).

FIN11 engaged in ransomware attacks

Mandiant’s experts have discovered another interesting feature: after the victim’s networks were infected with the Clop ransomware, hackers do not back down. For example, in one case, attackers re-compromised an organization a few months after the first incident. In another case, FIN11 regained access to the company’s network after the victims restored the infected servers from their backups.

The researchers did not specify what ransom amounts are required FIN11 participants, but note that Coveware, which specializes in rehabilitating firms after ransomware attacks, reports amounts ranging from several hundred thousand to tens of millions of dollars.

FIN11 is a separate group, but the tactics, attack methods and malware of hackers are very similar to the work of another well-known hack group – TA505. It is believed that this group has existed since at least 2014 and has been associated with such large-scale malicious campaigns as the distribution of the Drirex banker and Locky ransomware, as well as the use of many other malicious programs, including BackNet, Cobalt Strike, ServHelper, Bart, FlawedAmmyy, SDBbot RAT , DoppelPaymer, etc.write Mandiant Researchers.

Recently, TA505 has also been distributing the Clop ransomware and recently began exploiting the critical ZeroLogon vulnerability to gain domain controller administrator rights in the networks of compromised organizations.

Based on their own analysis, the researchers write that FIN11 is a Russian-speaking group that operates from some of the former-USSR countries. This theory is supported by the discovered metadata of files in Russian, the fact that hackers deploy the Clop ransomware only on machines with the layout used outside the former-USSR countries, as well as a clear decrease in the group’s activity during the Russian New Year and Orthodox Christmas holidays.

By the way, recently The Clop ransomware attacked the German Software AG company.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply