FIN7 does not give up: hackers are back with a new ransomvar Clop
Microsoft has discovered that the group is working in collaboration with other dangerous threat actors.
Famous cybercrime group FIN7, also known as Carbanak, ELBRUS and Sangria Tempest, has resumed its activities after a long break. April 2023 Microsoft discovered that the group was using Clop to attack various organizations. This is the first ransomware distribution campaign since the end of 2021.
According to Microsoft, the attackers use a PowerShell script called POWERTRASH to download the Lizar (aka DICELOADER or Tirion) post-exploitation tool and gain access to targeted networks. They then use OpenSSH and Impacket to navigate the network and deploy the Clop ransomware.
FIN7 has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit.
FIN7 has been active since 2012 and specializes in stealing banking data and information from payment terminals. The group attacks a wide range of organizations from different industries, including software, consulting, financial services, medical equipment, cloud services, media, food processing, transportation and utilities.
The group also employs unusual tactics, such as setting up fake cybersecurity companies – Combi Security and BastionSecure – to hire employees to carry out attacks and other operations.
Last month IBM Security X-Force reported that members of the now-defunct Conti group are using new malware called Domino, which is developed by a cybercrime cartel.
Using FIN7 POWERTRASH to deliver Lizar also was marked WithSecure a few weeks ago due to attacks exploiting a serious vulnerability in Veeam Backup & Replication software (CVE-2023-27532) to gain initial access.
The latest development suggests that FIN7 continues to rely on various families of ransomware to attack victims as part of its shift in monetization strategy from payment data theft to ransomware.
In October 2021 FIN7 started using the RaaS model (ransomware-as-a-service) as it has proven to be profitable for most hackers. Cybersecurity researchers at Mandiant have discovered that FIN7 has until recently been used to fund operations related to REvil, DarkSide, BlackMatter and BlackCat. But now the group intends to develop its own version of the ransomware.
It is assumed that FIN7 was behind the attack on the Colonial Pipeline in 2021, leading to fuel shortages in the eastern United States. Also according to the FBI, FIN7 members are highly skilled hackers based in Russia.