Search This Blog

Powered by Blogger.

Blog Archive

Labels

FIN7 Cybercrime Syndicate: Emerges as a Major Player in Ransomware Ecosystem

More than 8,147 victims have been compromised by the financially motivated adversary across the world.

 

A thorough investigation of FIN7 has revealed the organisational structure of the cybercrime group as well as its function as an associate for launching ransomware assaults. Additionally, it has revealed deeper connections between the group and the larger threat ecosystem, which includes the now-defunct DarkSide, REvil, and LockBit families of ransomware. 

The extremely active threat group Carbanak is known for using a wide range of instruments and strategies to broaden its "cybercrime horizons," including adding ransomware to its playbook and setting up fictitious security companies to entice researchers into performing ransomware attacks under the pretext of penetration testing. The financially motivated adversary has compromised more than 8,147 victims worldwide, with the majority of the affected businesses being based in the United States. Other notable nations include China, Germany, Canada, Italy, and the U.K.

Over the years, FIN7's invasion techniques have extended beyond conventional social engineering to include infected USB drives, compromised software supply chains, and the exploitation of stolen credentials obtained from dark web markets.

"Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access," PRODAFT said in a report shared with The Hacker News.

The Russian-speaking hacking group has also reportedly been seen using a number of Microsoft Exchange security weaknesses, including CVE-2020-0688, CVE-2021-42321, ProxyLogon, and ProxyShell, as weapons to infiltrate target environments. Even in situations where the victim has previously paid a ransom, the organization has launched operations that have installed SSH backdoors on the compromised systems. This is despite the use of double extortion tactics.

As part of its illegal money-making scheme, the plan is to resell access to other ransomware organizations and retarget the victims, underlining its attempts to minimize effort and maximize profits. In addition, it prioritizes businesses based on their annual revenues, dates of founding, and the number of employees. According to the researchers, this "demonstrates a certain form of feasibility study regarded a distinctive habit among cybercrime gangs."

In other words, FIN7's method of operation is to shortlist businesses and organizations with the largest income by using tools like Dun & Bradstreet (DNB), Crunchbase, Owler, and Zoominfo. In order to track visitor traffic to the victims' websites, it also makes use of other website analytics tools like MuStat and Similarweb.

One of the various intrusion vectors is used to gain initial access, after which data is exfiltrated, files are encrypted, and finally the ransom price is calculated based on the company's income.
The remote access trojans Carbanak, Lizar (also known as Tirion), and IceBot are likewise intended to be loaded using these infection sequences. IceBot was initially identified by Recorded Future-owned Gemini Advisory in January 2022.

Other tools created and provided by FIN7 include the Cobalt Strike post-exploitation tool and the Checkmarks module, which automates mass scans for vulnerable Microsoft Exchange servers and other public-facing online applications.

Another example of how criminal organizations behave like legitimate businesses is FIN7, which has a team structure with top-level management, development, pentesting, affiliate, and marketing teams, all of which have specific tasks to do.

While Alex and Rash are the main drivers of the operation, Sergey-Oleg, the third management member, assigns tasks to the other members of the group and supervises their completion. A review of the group's Jabber communication history, however, has shown that operators in administrator roles use coercion and extortion to force team members to put in more effort and issue threats to "harm their family members in case of resigning or escaping from duties."

The information was uncovered more than a month after cybersecurity firm SentinelOne suspected FIN7 may have connections to the Black Basta ransomware operation.

PRODAFT concluded, "FIN7 has established itself as an extraordinarily versatile and well-known APT group that targets enterprise companies. Their signature move is to thoroughly research the companies based on their revenue, employee count, headquarters and website information to pinpoint the most profitable targets."

"Although they have internal issues related to the unequal distribution of obtained monetary resources and somewhat questionable practices towards their members, they have managed to establish a strong presence in the cybercrime sphere."
Share it:

Cyber Attacks

DarkSide

Data

Data Privacy

Data Safety

LockBit

Ransomware

REvil