Why do robbers steal from banks? The answer is \u201cBecause that\u2019s where the money is\u201d. To understand the motivations of an online criminal group like FIN11, you can start by trying to understand greed. This collective of thieves, most likely based in the Russian-speaking Commonwealth of Independent States (CIS), started by targeting the financial, retail and restaurant sectors. But FIN11 has expanded its activities and now attacks a number of other sectors.\n\n\nThe evidence that FIN11 is operating out of the CIS includes the use of the Cyrillic alphabet in file metadata. One of the tools they use, a ransomware family called CLOP, also self-terminates before beginning its encryption routines if, based on the keyboard layout and character set, the host is likely located in a CIS country. Further, FIN11\u2019s criminal activity tends to slow down around the Russian New Year and Orthodox Christmas holiday period.\n\n\nOperating since at least 2016, the group uses a number of malware families, including FlawedAmmyy, FRIENDSPEAK, and MIXLABEL, although the group regularly introduces new tactics as potential targets increase their cyber security protection. For example, in September 2019, the group attached malicious Office files directly to phishing emails, but in November 2019 their emails contained shortened URLs that redirected to a domain that then delivered malicious Office files.\n\n\nFIN11 uses tools, methods and sophisticated OPSEC to make detection and prosecution of specific individuals in the group challenging. We can think of these specific tools and methods as being the gang\u2019s \u2018uniform\u2019 as a way of helping to identify them as part of a formal organisation.\n\n\nDespite FIN11\u2019s origin in the CIS, the group attacks businesses in a variety of countries. While their primary attack vector is email, they use multiple languages, so targets receive malicious emails in their native tongue, increasing the likelihood of a successful attack.\n\n\nDuring 2017 to 2018, FIN11 focused its attacks on the financial, retail and restaurant sectors but the group has broadened its horizons and became more indiscriminate targeting a range of industries and multiple geographies.. The group sends phishing emails, using a variety of lures to fool recipients into opening malicious attachments or clicking on malicious links. These lures most frequently use generic financial themes, but some are tailored to a specific industry or region\n\n\nAs they are financially motivated, FIN11\u2019s activity is focused on targets where there is a high probability of payment. For example, they may perceive that certain industries will be more likely to pay if there is a threat that client data could released into the public domain. Other industries may be motivated to pay if the attack could create an impact to the production of their goods and services.\n\n\nFIN11 also actively evades detection. The criminals use tactics such as signed certificates to make its malware look legitimate, and also use tools such as SALTLICK to disable Windows Defender.\n\n\nOver time, the scope and impact of FIN11\u2019s criminal activity has evolved. Since 2019 the group has monetized access via extortion using ransomware, then transitioning to hybrid extortion in 2020. In these cases, they may use a phishing campaign to infiltrate a network and steal information prior to deploying ransomware. They then threaten to publish that data unless a payment is made. For victims, the data may be sensitive, or the leak of data, however innocuous, may be embarrassing and damaging to the company\u2019s reputation.\u00a0 FIN11 often escalates the threat by increasing the cost of the payment the longer the victim waits.\n\n\nIn attacks prior to 2019, Mandiant Threat Intelligence has observed that FIN11 used the memory scraping tool BLUESTEAL to target point-of-sale systems and steal credit card information.\u00a0\n\n\nIn all these attacks the goal is the same \u2013 money. While other threat groups execute attacks for a variety of reasons including financial gain, hacktivism, political advantage or espionage, FIN11\u2019s motivation is purely financial. It targets specific organisations based on its perception of who can pay.\n\n\nUnderstanding and tracking of groups such as FIN11 is critical for businesses. A layered security approach, that includes threat intelligence as well as defensive measures is critical for businesses so they can know what\u2019s coming and be prepared to protect their networks.