FireEye: ‘FIN11’ Deploys Clop Ransomware
Services used by “FIN11” (Source: FireEye Mandiant)
A newly identified financially motivated threat group, dubbed “FIN11,” is deploying Clop ransomware and exfiltrating data from its targets for extortion efforts, according to researchers at FireEye Mandiant.
It’s the first time in three years that researchers at FireEye Mandiant have officially designated a new financially motived threat group. Although this group has been around for about four years, researchers just completed efforts to connect various cybercriminal activities to it.
FIN11 has recently increased its activity and expanded into ransomware, data theft and extortion campaigns, says Genevieve Stark, an analyst with Mandiant Threat Intelligence (see: More Ransomware Gangs Threaten Victims With Data Leaking).
“While FIN11 doesn’t exhibit a high degree of technical sophistication, this hasn’t prevented them from impacting numerous organizations across a broad range of sectors and geographic regions,” Stark says.
Over the years, FireEye Mandiant has observed bursts of activity from FIN11 followed by lulls that can last for months. For instance, between March and May, the group appeared to halt all of its schemes. But now, hackers are running up to five separate malicious campaigns in a week.
FIN 11’s Evolution
FIN11’s activities initially focused on deploying point-of-sale malware, along with memory-scraping tools such as BlueSteal, to harvest credentials and payment data, according to the report.
The group gradually improved its tactics and techniques, creating much more sophisticated phishing emails to target a wide array of victims. Plus, it started using other malicious tools, including backdoors such as FlawedAmmyy and MIXLABEL, according to the report.
“The group’s malicious email campaigns from 2017 to 2018 primarily targeted organizations in the financial, retail and restaurant sectors,” the report states. “In 2019 and 2020, FIN11 expanded its targeting to a larger, more indiscriminate and diverse set of industries and countries, often using generic financial lures. However, a portion of FIN11’s 2019 and 2020 campaigns targeted organizations in specific industries or regions, often using the target’s native language, coupled with manipulated email sender information, such as spoofed email display names and email sender addresses, to appear more legitimate.”
Moving to Ransomware
Over the last several months, FIN11 has moved into ransomware and extortion mainly by deploying a variant called Clop (see: More Ransomware Gangs Join Data-Leaking Cult).
Most of the victims that are listed on the CL0P^_-LEAKS website are based in Europe, and FIN11 has been observed sending out phishing emails and other communications in German, according to the report.
Stark says a December 2019 attack targeting Maastricht University in the Netherlands, which the school resolved by paying 30 bitcoins ($220,000), was likely the work of FIN11.
Earlier this month, Software AG, a software company based in Germany, also was a target of Clop ransomware. The attackers demanded nearly $20 million from the company in exchange for the decrypter key, according to ZDNet.
“While we haven’t had the opportunity to analyze technical details for this [Software AG] attack, Mandiant has thus far attributed all intrusions involving Clop deployments to FIN11,” Stark says. “It is possible that FIN11 has increased ransom demands in response to public reporting of companies paying large ransoms and the introduction of hybrid extortion.”
While the majority of Clop attacks have been in Europe, FireEye Mandiant notes that FIN11 has also targeted organizations in the U.S., Canada, the U.K. and parts of Asia.
The report also notes that FIN11 will repeatedly attempt to install Clop within compromised networks. “For example, one organization was compromised via multiple FIN11 email campaigns within a matter of months. At another organization, several servers were infected with CLOP, restored from backups and later re-infected.”
The FireEye Mandiant report does not tie FIN11 to a specific country. The researchers note, however, that some of the group’s metadata is written in Russian, which means the hackers are likely operating out of the Commonwealth of Independent States, which includes countries in Eastern Europe and Asia as well as Russia.
FIN11 uses some of the same tools and techniques – including the use of the FlawedAmmyy backdoor – as a group called TA505, the report notes. TA505 is a financially motivated threat group that is known to deploy Trojans such as Dridex and The Trick as well as Locky and Jaff ransomware variants (see: TA505 APT Group Returns With New Techniques: Report).