Financial crime group FIN11 pivots to ransomware and stolen data extortion

Extorting money from companies and other organizations using sophisticated ransomware has become a highly profitable business model for cybercriminals. This has also led to a shift in focus for some groups that were traditionally involved in financial crime and payment card theft.

According to a new report by Mandiant, one such group is FIN11, which throughout 2017 and 2018 targeted primarily organizations from the financial, retail and restaurant sectors. Starting in 2019, however, the group diversified its targeting and arsenal and transitioned to ransomware distribution. In more recent months it doubled down on extortion by also stealing business data from victims and threatening to release it publicly if they don’t pay the ransoms.

Who is FIN11?

FIN11 has been active since at least 2016 and its members are likely based in Russian-speaking countries. Metadata found in the tools used by the group suggests its developers are using the Cyrillic alphabet and the malware itself has checks to prevent damaging systems that have their keyboard layouts and localization configured to languages from the Commonwealth of Independent States (CIS) — a coalition of former Soviet Union countries. The group’s activity also stops around the Russian New Year’s Eve and Orthodox Christmas, which are observed in January, suggesting the group’s members are on holiday during those times.

FIN11’s toolset and techniques overlap with those of other cybercrime groups because it regularly uses malware programs and other services sold on underground markets. That said, a few malware downloaders and backdoors are believed to be unique to FIN11, including those tracked in the industry as FlawedAmmyy, FRIENDSPEAK and MIXLABEL. There are notable similarities between some of FIN11’s activities and those of a group the industry calls TA505, which is associated with the Dridex botnet and Locky ransomware, but Mandiant warns against conflating the two groups because there are also significant differences in their techniques.

“FIN11, a financially motivated threat group, has conducted some of the largest and longest running malware distribution campaigns Mandiant researchers have observed among financially motivated threat actors to date,” the company said in its new report. “In addition to high-volume malicious email campaigns, FIN11 is also notable due to their consistently evolving malware delivery tactics and techniques. Mandiant consultants have responded to multiple incidents where FIN11 has been observed monetizing their access to organizations’ networks.”

Expanded targeting and ransomware

Starting in 2019, researchers have noted significant changes in FIN11’s malware distribution campaigns and phishing lures indicating a more indiscriminate targeting of organizations across multiple industry sectors. This coincided with the group’s transition to a monetization model based on a ransomware program dubbed CLOP.

FIN11’s high-volume email campaigns use generic lures such as fake sales orders, bank statements and invoices, but some have also been tailored to specific countries or industries. Mandiant observed FIN11 phishing emails written in English, Spanish, Korean and German — a significant number of its recent ransomware victims have been from Germany. When targeting a specific industry sector — for example, the pharma sector in January — it used phishing lures relevant to that industry, such as research reports, laboratory accidents, and billing spreadsheets.

The way the group delivers its malware droppers via emails has rapidly evolved over the past two years with changes being made almost every month to better evade detection. Originally, the group’s emails contained Microsoft Office documents with malicious macros, but then the Office files started being placed inside archives that were sent as attachments. The group then stopped using attachments and started including URLs in emails that directed users to Office files hosted on remote servers. It then switched to HTML attachments that redirected users to external URLs hosting malicious Office files.

In the latest FIN11 attacks, the malicious emails had an HTML attachment that redirected victims to compromised domains, which redirected them further to attacker-controlled domains that delivered the malicious Office files after users passed a CAPTCHA challenge. This was likely added to block automated URL scans by security products and services.

Many of the malware samples associated with FIN11 are digitally signed with code signing certificates that are bought through a service on the underground market. The group also uses criminal suppliers for other services such as bulletproof hosting, domain registration and commodity malware tools.

Post intrusion and monetization

Despite casting a wide net with its phishing campaigns, FIN11 choses to perform deeper compromises on only a small subset of its victims, which are likely selected based on their size, industry and likelihood of paying. Like several other sophisticated ransomware gangs, FIN11 uses manual hacking to move laterally through networks and deploy its ransomware, so the group might not have enough manpower to do this on a large scale.

If a victim looks interesting, after the initial intrusion the FIN11 attackers deploy multiple backdoors with the goal of moving laterally and obtaining domain administrator privileges. Even though its exclusive tools like FlawedAmmyy and MIXLABEL are used to gain the initial foothold, the lateral movement activity involves the use of many publicly available tools. This is similar to how an increasing number of hacker groups operate.

Once domain admin credentials have been obtained, the attackers use various tools to disable Windows Defender and deploy the CLOP ransomware to hundreds of computers using Group Policy Objects. FIN11’s ransom notes include only an email address for victims to contact and do not specify a ransom amount, suggesting the ransom is later customized based on who the victim organization is. Public reports have put FIN11’s ransom demands between a few hundred thousand dollars and ten million dollars.

“FIN11 has often been quick to re-compromise hosts at organizations after losing access,” the Mandiant researchers warn. “For example, one organization was compromised via multiple FIN11 email campaigns within a matter of months. At another organization, several servers were infected with CLOP, restored from backups, and later re-infected.”

Starting this year, FIN11 has also adopted the tactic of stealing data and threatening to release it to force ransomware victims to pay. The group has set up a dark website where they have released partial data from companies that refused to pay. In one case, the Mandiant researchers have seen the group engage in stolen data extortion without ransomware being deployed against the victim, but it’s unclear if there is a clear separation between the two extortion tactics or the group planned to also deploy ransomware later.

“Given the group’s recent incorporation of data theft and extortion into their ransomware operations, the associated actors may also choose to prioritize victims likely to have sensitive or proprietary data, such as law firms or research and development companies,” Mandiant warned. “This pattern of selective exploitation could eventually prompt FIN11 actors to seek out additional partnerships with other members of the cybercriminal community who have the resources to monetize accesses that FIN11 obtains.”