FIN11 attacks targets that can pay

Why do robbers steal from banks? The answer is “Because that’s where the money is”. To understand the motivations of an online criminal group like FIN11, you can start by trying to understand greed. This collective of thieves, most likely based in the Russian-speaking Commonwealth of Independent States (CIS), started by targeting the financial, retail and restaurant sectors. But FIN11 has expanded its activities and now attacks a number of other sectors.

The evidence that FIN11 is operating out of the CIS includes the use of the Cyrillic alphabet in file metadata. One of the tools they use, a ransomware family called CLOP, also self-terminates before beginning its encryption routines if, based on the keyboard layout and character set, the host is likely located in a CIS country. Further, FIN11’s criminal activity tends to slow down around the Russian New Year and Orthodox Christmas holiday period.

Operating since at least 2016, the group uses a number of malware families, including FlawedAmmyy, FRIENDSPEAK, and MIXLABEL, although the group regularly introduces new tactics as potential targets increase their cyber security protection. For example, in September 2019, the group attached malicious Office files directly to phishing emails, but in November 2019 their emails contained shortened URLs that redirected to a domain that then delivered malicious Office files.

FIN11 uses tools, methods and sophisticated OPSEC to make detection and prosecution of specific individuals in the group challenging. We can think of these specific tools and methods as being the gang’s ‘uniform’ as a way of helping to identify them as part of a formal organisation.

Despite FIN11’s origin in the CIS, the group attacks businesses in a variety of countries. While their primary attack vector is email, they use multiple languages, so targets receive malicious emails in their native tongue, increasing the likelihood of a successful attack.

During 2017 to 2018, FIN11 focused its attacks on the financial, retail and restaurant sectors but the group has broadened its horizons and became more indiscriminate targeting a range of industries and multiple geographies.. The group sends phishing emails, using a variety of lures to fool recipients into opening malicious attachments or clicking on malicious links. These lures most frequently use generic financial themes, but some are tailored to a specific industry or region

As they are financially motivated, FIN11’s activity is focused on targets where there is a high probability of payment. For example, they may perceive that certain industries will be more likely to pay if there is a threat that client data could released into the public domain. Other industries may be motivated to pay if the attack could create an impact to the production of their goods and services.

FIN11 also actively evades detection. The criminals use tactics such as signed certificates to make its malware look legitimate, and also use tools such as SALTLICK to disable Windows Defender.

Over time, the scope and impact of FIN11’s criminal activity has evolved. Since 2019 the group has monetized access via extortion using ransomware, then transitioning to hybrid extortion in 2020. In these cases, they may use a phishing campaign to infiltrate a network and steal information prior to deploying ransomware. They then threaten to publish that data unless a payment is made. For victims, the data may be sensitive, or the leak of data, however innocuous, may be embarrassing and damaging to the company’s reputation.  FIN11 often escalates the threat by increasing the cost of the payment the longer the victim waits.

In attacks prior to 2019, Mandiant Threat Intelligence has observed that FIN11 used the memory scraping tool BLUESTEAL to target point-of-sale systems and steal credit card information. 

In all these attacks the goal is the same – money. While other threat groups execute attacks for a variety of reasons including financial gain, hacktivism, political advantage or espionage, FIN11’s motivation is purely financial. It targets specific organisations based on its perception of who can pay.

Understanding and tracking of groups such as FIN11 is critical for businesses. A layered security approach, that includes threat intelligence as well as defensive measures is critical for businesses so they can know what’s coming and be prepared to protect their networks.