A newly identified group of financially motivated hackers, likely based in a Russian-speaking country, has been running high-volume phishing, ransomware, and extortion campaigns in the United States, Germany, and many other countries for the last four years, using the Clop ransomware and various backdoors in their operations.
Researchers at Mandiant have been tracking the group since 2016 and have responded to a number of intrusions in which the group, known as FIN11, has used initial access to a network to move laterally and either deploy ransomware, steal data, or both. In some cases, the group has threatened to release the stolen data unless the victim organization pays a ransom for the information. This tactic has been used by other attack groups in recent months as cybercriminals continue to look for additional ways to monetize their access to enterprise networks. Some victim organizations have refused to pay when hit by ransomware, relying on backups to restore their systems. But it becomes a different conversation when attackers are threatening to publish customer or employee data.
The group has targeted organizations in various countries somewhat at random for several years, but beginning in the first few months of 2020 the attacks have been more focused, going after companies in the pharmaceutical industry as the pandemic progressed. For most of its campaigns, FIN11 has used phishing emails as its initial contact point, usually with either a malicious Office document or HTML attachment included. Like other cybercrime groups, the goal of FIN11’s operations is to make money, but the group does not appear to be especially good at that.
FIN11 shares some of the same tactics and tools as an existing group known as TA505, a Russian attack team that distributes the Dridex malware and has also used several strains of ransomware over the years. But Mandiant’s researchers say the two are distinct and separate groups.
It is common for tools, malware, and techniques to overlap among several separate cybercrime groups as criminals are quick to adopt whatever is working, regardless of where it comes from. This pragmatism extends to the infrastructure that FIN11 uses for its operations, including commercial malware, hosting providers, and certificates to lend legitimacy to tools installed after the initial compromise. FIN11 takes advantage of the full slate of products and services on offer in the criminal underground.
The Clop ransomware deployed by FIN11 is not anything special in terms of functionality and the group uses a couple of different methods for deployment, including Group Policy Objects. However, ransomware is only part of the picture for the group.
The group has followed through on its threats to publish data in some cases, and also have advertised some defensive security services on the same site for $250,000 in Bitcoin.
Mandiant’s researchers said they have moderate confidence that FIN11 is based somewhere in the Commonwealth of Independent States, mostly due to some of the characteristics of the Clop ransomware and the fact that the group’s activity drops sharply during the Russian Orthodox holidays at the beginning of the year.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company wide. (Read Multifactor Authentication or MFA)
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.