A newly identified group of financially motivated hackers, likely based in a Russian-speaking country, has been running high-volume phishing, ransomware, and extortion campaigns in the United States, Germany, and many other countries for the last four years, using the Clop ransomware and various backdoors in their operations.
Researchers at Mandiant have been tracking the group since 2016 and have responded to a number of intrusions in which the group, known as FIN11, has used initial access to a network to move laterally and either deploy ransomware, steal data, or both. In some cases, the group has threatened to release the stolen data unless the victim organization pays a ransom for the information. This tactic has been used by other attack groups in recent months as cybercriminals continue to look for additional ways to monetize their access to enterprise networks. Some victim organizations have refused to pay when hit by ransomware, relying on backups to restore their systems. But it becomes a different conversation when attackers are threatening to publish customer or employee data.
The group has targeted organizations in various countries somewhat at random for several years, but beginning in the first few months of 2020 the attacks have been more focused, going after companies in the pharmaceutical industry as the pandemic progressed. For most of its campaigns, FIN11 has used phishing emails as its initial contact point, usually with either a malicious Office document or HTML attachment included. Like other cybercrime groups, the goal of FIN11’s operations is to make money, but the group does not appear to be especially good at that.
“Despite the group's widespread high-volume email campaigns, we have only observed evidence of FIN11 successfully monetizing their operations in a handful of cases. In late 2018, Mandiant analysts observed FIN11 attempt to monetize their operations using the point of-sale (POS) memory scraping tool BLUESTEAL. Since then, FIN11 has deployed CLOP ransomware at a variety of organizations,” a new report on FIN11 released by Mandiant today says.
FIN11 shares some of the same tactics and tools as an existing group known as TA505, a Russian attack team that distributes the Dridex malware and has also used several strains of ransomware over the years. But Mandiant’s researchers say the two are distinct and separate groups.
“FIN11 includes a subset of the activity publicly tracked as TA505, as well as an evolving arsenal of post-compromise tactics, techniques and procedures (TTPs) that have not been publicly reported on TA505. Notably, we have not attributed TA505's early operations to FIN11 and caution against conflation of the two clusters,” Mandiant’s report says.
It’s quite common for tools, malware, and techniques to overlap among several separate cybercrime groups as criminals are quick to adopt whatever is working, regardless of where it comes from. This pragmatism extends to the infrastructure that FIN11 uses for its operations, including commercial malware, hosting providers, and certificates to lend legitimacy to tools installed after the initial compromise. FIN11 takes advantage of the full slate of products and services on offer in the criminal underground.
“More recently, in 2020, FIN11 has evolved to conduct hybrid extortion attacks, combining ransomware with data theft."
“Criminal actors can purchase a wide range of services and tools in underground communities—including private or semi- private malware capabilities, bulletproof hosting providers, various DNS-related services (including registration and fast-flux or dynamic DNS offerings) and code signing certificates—from actors who specialize in a single phase of the attack lifecycle. The outsourcing of tools and services associated with various parts of the attack lifecycle through criminal service providers can frustrate attribution efforts,” the Mandiant report says.
The Clop ransomware deployed by FIN11 isn’t anything special in terms of functionality and the group uses a couple of different methods for deployment, including Group Policy Objects. BUt ransomware is only part of the picture for the group.
“More recently, in 2020, FIN11 has evolved to conduct hybrid extortion attacks, combining ransomware with data theft to pressure their victims into acquiescing to extortion demands. In these cases, the actors accessed several dozen systems, staged data in RAR archives, uploaded the files to MegaSync servers, deployed CLOP ransomware and then sent an email threatening to publish the data,” the Mandiant report says.
The group has followed through on its threats to publish data in some cases, and also have advertised some defensive security services on the same site for $250,000 in Bitcoin.
Mandiant’s researchers said they have moderate confidence that FIN11 is based somewhere in the Commonwealth of Independent States, mostly due to some of the characteristics of the Clop ransomware and the fact that the group’s activity drops sharply during the Russian Orthodox holidays at the beginning of the year.
“Samples of CLOP ransomware check for keyboard layouts commonly used in the CIS countries and for the Russian character set (204) before execution. If both the keyboard layout and character suggest the host is in a CIS country, CLOP will delete itself,” Mandiant’s report says.