Prolific Cybercrime Group Now Focused on Ransomware

Prolific Cybercrime Group Now Focused on Ransomware
Cybercriminal team previously associated with point-of-sale malware and data theft has now moved almost completely into the more lucrative crimes of ransomware and extortion.

An assortment of ransomware campaigns since 2019 are actually the work of a single group, which has evolved from conducting point-of-sale attacks using malware to infiltrating networks and infecting systems with ransomware, researchers say.


In an analysis of a cluster of malicious activity, FireEye's Mandiant linked the attacks to a single cybercrime group, which the company dubbed FIN11. The group uses attack tools and malware that appear to be unique to its operators, who are also known for their use of high-volume e-mail campaigns to initially infect a user at a targeted company and establish a beachhead. While their activity has significant ramped up through most of 2019 and 2020, their operations appear to stretch back to 2016.


Overall, the group does not display sophisticated tactics, techniques and procedures (TTPs), but they are aggressive in their attempts to gain a foothold in companies, says Kimberly Goody, senior manager of the Mandiant threat intelligence financial crime team at FireEye.


"The main thing that sets this group apart from our perspective is how widespread their campaigns are," she says. "They are sophisticated, but they have a wide reach. And their constant evolution of their TTPs—even though minor—can prevent organizations from being able to adequately defend against their spam campaigns."


The group also highlights a trend observed by FireEye. Since early 2019, financial cybercrime groups once focused on stealing payment-card data are now shifting to compromising corporate networks, infecting a significant number of systems with ransomware, and then extorting the business for large sums, Goody says.


"Point of sale intrusions were very profitable, and we saw actors such as FIN6 and FI ..