PRODAFT researchers reveal that the infamous FIN7 threat actor has updated its ransomware activities, providing a unique view of the group’s structure. Learn how to protect yourself against it.
FIN7 is a threat actor that mainly focuses on stealing financial information, but it also sells sensitive information stolen from companies. Known as the Carbanak Threat Actor, this organized group believed to have started operations in 2013 and specializes in banking fraud and stealing credit card information using point-of-sale malware. It has also compromised ATMs and used malicious scripts on them to get money. The group is known for being technically advanced and highly effective.
To compromise systems, FIN7 uses various methods, such as running phishing campaigns via email or exploiting common vulnerabilities such as ProxyLogon/ProxyShell to penetrate targeted infrastructures. It can also purchase stolen credentials from the underground markets, which it tests with tools it has developed before using it to access targets’ environments.
FIN7 also exploits the BadUSB attack, which consists of USB sticks with active payloads that simulate a keyboard and run as soon as the USB device is connected to a computer. FIN7 mailed such devices as “gifts” to hospitality or sales employees, along with counterfeit BestBuy gift cards to trick the user into using the USB device.
Jump to:
The ransomware activity of FIN7
FIN7 started using ransomware in 2020 and was affiliated with some of the most active ransomware groups: Sodinokibi, REvil, LockBit, and DarkSide. It seems that the threat actor decided that its operations on POS devices were not profitable enough compared to ransomware attacks.
To run ransomware, FIN7 chooses its target based on public information about companies and their revenues. It targets high-income companies, which may pay ransom faster than smaller ones. The target’s earnings are also used to calculate the ransom value.
Once the initial access is made to the target’s network, FIN7 spreads within the network and steals files before encrypting them via the ransomware code.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Conversation leaks like exposed by PRODAFT researchers indicate that when a ransom is paid, 25% goes to the ransomware developers and 20% to the people responsible for accessing the network and performing the technical part of the operation. The highest amount of the rest of the money goes to the head of the team handling the ransom. The money that remains after this division is divided among the group members.
FIN7 can also retarget a company that has already paid a ransom. Conversation leaks between members reveal that it could come back to the system, if the same vulnerabilities are not patched, with another ransomware, making it pretend to be just another ransomware actor and trying to get a second ransom.
The vast and organized structure of FIN7
PRODAFT researchers uncovered part of the FIN7 organizational structure, which reveals the main entities of the group: the team leader, the developers, the penetration testers and the affiliates.
The team leaders are masterminds of computer intrusion and ransomware attacks on businesses with extensive experience. The developers are also experienced and they are responsible for the custom tools and malware used by the group.
FIN7 affiliates sometimes work for multiple ransomware threat actors. In addition, they sell credit card information that they can steal during their operations.
In a more surprising way, it seems that the leadership of FIN7 sometimes uses threatening language with its members who don’t seem to work enough. It can be as serious as threatening people’s families if an employee wants to resign or escape responsibilities (Image A).
Image A
The goals of FIN7
FIN7 has hit 8,147 targets worldwide, with 16.74% in the US (Figure B).
Figure B
Russia is also highly targeted, although the country never appears in later stages of the attack cycle; therefore, this heatmap should be considered a good indicator of major campaigns hitting companies in the first phase, but many of them are not considered worth it for the FIN7 threat actor for various reasons. Only a small fraction of the more than 8,000 targets are actually attacked and ransom demanded.
How to protect your organization against this cybersecurity threat
All operating systems and their software must always be up to date and patched, as FIN7 sometimes uses common vulnerabilities to achieve its goal and gain a foothold in the company’s corporate networks. Security solutions should also be deployed to monitor endpoint and server behavior and detect fraudulent access attempts.
In addition, multi-factor authentication should be deployed wherever possible and especially on any internet-facing system or service. Since FIN7 is used to buy valid credentials for companies, MFA can prevent them from logging into those systems remotely.
Finally, it is advised to use device management software that allows users to control and monitor USB-connected devices, as FIN7 sometimes uses BadUSB attacks.
Security prevention is easier with these TechRepublic Premium downloads: Patch Management Policy and System update policy.
Revelation: I work for Trend Micro, but the opinions expressed in this article are my own.
