Defending against FIN11

BrandPost By Anthony Caruana
Jan 27, 2021

The criminal gang FIN11 has been conducting criminal activities for years, using tactics such as ransomware, extortion and data theft. Based in the Commonwealth of Independent States (CIS), it has been observed that the gang uses phishing emails to penetrate the defences of companies around the world. rnrnSo how can you protect your business from these criminals?rn

A protected padlock with checkmark amid a field of abstract data.
Credit: Matejmo / Getty Images

The criminal gang FIN11 has been conducting criminal activities for years, using tactics such as ransomware, extortion and data theft.

So how can you protect your business from these criminals?

FIN11’s ransomware and extortion operations rely on a number of key tools to infiltrate target organisations and encrypt and exfiltrate data in order to monetise their attacks. Although the group has been known to use tools such as , it changes its tactics in order to evade detection and overcome potential countermeasures some targets might employ.

The shift in tactics and methods is important as tracking how the group changes is critical to building a defence. At one point the group attacked by attaching Office files, laden with malware, directly to phishing emails. When that tactic lost effectiveness, the group switched  to using shortened URLs that were to used deliver malicious Office files. The group continues to update its tactics in order to overcome evolving defences.

The tools, methods and OPSEC employed by FIN11 make detection and prosecution of specific individuals in the group challenging.

The group also uses malware that can disable end-point security software, such as Windows Defender, in order to maximise the chance of a successful attack. Further, the group likely decreases the likelihood of local law enforcement intervention by not targeting organizations based in the CIS. FIN11 sometimes uses the CLOP family of ransomware which self terminates, before encrypting any files, if the computer is using a keyboard layout or character set that’s common to the CIS. The group’s activity also slows down over the Orthodox holidays and Russian New Year periods.

What is FIN11 after? The answer is simple. Its motivation is financial. That means extortion, ransomware, credential theft and data theft are FIN11’s principle criminal acts.

Defending against a adversary like FIN11 may seem difficult. But the group’s financial motivation provides a hint on how to defend against them. As they are chasing money, by increasing the cost of an attack for them, you effectively diminish their return on investment. You may not be able to stop an attempted attack, but you can make the cost of an attack high enough that FIN11 moves on.

Threat intelligence is critical. It is important to know what groups like FIN11 are doing and what tactics they are using. That allows you to alert users for tell-tale signs of an attack and to ensure your other protective measures are ready.

Adopting a layered approach to security, leveraging best practice frameworks such as the ASD Essential 8, NIST Cybersecurity Framework or ISO27001, helps to ensure that you are covering all bases when it comes to your security posture. The days of firewalls and end-point software being enough are well behind us. Cybersecurity is far more complex. These, and other frameworks provide the tools to ensure a comprehensive strategy is in place.

Technology works hand-in-hand with user education. With email used as a primary attack vector by FIN11 and many other criminal collectives, having tools at the network’s edge to monitor for potentially malicious messages and to test file attachments for malicious payloads is critical.

With endpoints and security appliances collecting vast amounts of network telemetry, it’s possible to use tools that can detect suspicious activity on the network and automatically launch defensive measures or send alerts to security teams. This means that only alerts, or combinations of alerts, that are indicators of issues are escalated.

Businesses should also ensure they regularly test that the measures they put in place and their response processes are adequate. Red teaming, penetration testing and business continuity exercises are important as they ensure both the technical and human responses to security incidents are appropriate.

At the heart of any successful security and threat response are people. It’s important to remember that FIN11 is a group of well-resourced and motivated people. Your organisation’s security response strongly relies on people – everyone from end-users through to your expert security team – who have been properly trained to recognise and respond to threats.

Businesses that adopt a sound methodology, carry out routine threat intelligence and use the right technology with a well-trained and prepared workforce can be well placed to thwart the attacks of FIN11 and other groups of their ilk.

To read the full report into FIN11 and find out more about their ransomware and extortion operations, register for free, with the Mandiant Advantage Intelligence Portal, where you can learn about the treats that matter to you, right now.