This month, it’s the financially motivated cybercriminal groups you need to place on your radar. FIN11 is now considered a financially motivated cybercriminal group because of its shift in strategy. FIN11 isn’t entirely new. This cybercriminal group has been around since 2016. They didn’t start their career deploying ransomware, but FIN11 has decided to shake things up a bit. FIN11 knows, and SpearTip has continuously preached it before, ransomware attacks continue to grow in both success as well as ransom demand amounts. FIN11 is known for creating both phishing and malware campaigns in the past. It is said for the group to originate in the Commonwealth of Independent States, a largely Russian speaking territory. Having been in the industry for more than four years now, FIN11 has gained the knowledge and expertise to understand the power of ransomware and extortion. They are notable for their steep volume of activity within environments when access is granted through phishing campaigns.

Recently, FIN11 has heavily shifted their campaigns in order to collect information on top of steep ransom demands through encrypting clients’ systems. Their focus has shifted from attacking banks, retailers, and restaurants to pharmaceuticals, shipping, and logistics industries in not only North America, but also Europe. These industries are widespread, but FIN11 does appear to specifically target their attacks to high value targets in order to increase their chances of having their victims fall for their attack.

In SpearTip observed attacks, FIN11 typically sends a malicious Microsoft Office attachment, which requires macros to be enabled. If enabled, the infection on your organization’s environment begins. The infection spreads, gaining access via Cobalt Strike and other living-off-the-land techniques to further compromise the network. In doing so, FIN11 has the ability to obtain admin credentials and swim laterally across the network.

In addition, FIN11 uses native language traps to send more believable email display names and email sender addresses. With the use of CLOP ransomware, known for double extortion, FIN11 is able to steal the data and demand a ransom, and if they ransom is not paid, the data is published online.

Although, there are a few holes in FIN11’s operations, their attacks are very sophisticated. At this point, it is extremely difficult to name a business sector who has not been attacked by FIN11. FIN11’s shift from POS (point-of-sale) malware to extortion is the main takeaway. It has been contemplated FIN11 uses services which provide secret domain registration, battle-tested hosting, code signing certificate, and private or semi-private malware.

SpearTip’s ShadowSpear® Memory Injection Prevention module would step in to prevent FIN11 ransomware attacks. Network defenders have the authority to apply strategies to avoid falling victim to FIN11. It usually begins with non-technical end-users. Instilling user awareness training and phishing practices has been proven to correct and improve an organization’s security posture. We have said it time after time again, but the weakest link is usually the human element. Utilizing a trusted EDR tool will put your organization on a higher level to protect the network. SpearTip always recommends a SIEM tool as well. The SIEM tool will be able to collect and aggregate logs from critical systems and network devices such as alerting to anomalies within POS systems. The tool will alert an intrusion and clarify which machine the threat actors entered in from. Security engineers are able to immediately identify and counter the attack appropriately.

SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.