Mandiant Threat Intelligence researchers have identified FIN11, a financially-motivated hacking group behind bold, large and long-running malware campaigns. The hackers have expanded their range of targets the past two years while using increasingly aggressive ransomware attacks.

"In some ways, FIN11 is reminiscent of APT1," write the researchers, "as they are notable not for their sophistication, but for their sheer volume of activity. There are significant gaps in FIN11’s phishing operations, but when active, the group conducts up to five high-volume campaigns a week. While many financially motivated threat groups are short lived, FIN11 has been conducting these widespread phishing campaigns since at least 2016. From 2017 through 2018, the threat group primarily targeted organizations in the financial, retail, and hospitality sectors. However, in 2019 FIN11’s targeting expanded to include a diverse set of sectors and geographic regions. At this point, it would be difficult to name a client that FIN11 hasn’t targeted."

Researchers note that Mandiant has also responded to numerous FIN11 intrusions, but they've only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture.

According to Mandiant Threat Intelligence researchers, recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020, which is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion, the researchers explain. 

FIN11 also includes a subset of the activity security researchers call TA505. However, Mandiant does not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. 

Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, says, “The techniques and motivations described about the FIN11 group, as noted by FireEye, feel a bit like a catch all. The evolution from malware dropping to ransomware and extortion essentially matches the majority of cybercrime today. Similarly, the use of service providers in the “underground” is also quote common amongst cybercriminals. There is a whole marketplace of providers that cater to and operate in what some refer to as the dark web. These service are not limited to the ones described as in use by FIN11 but include code writing services, monetary exchanges, and more. Broad based phishing campaigns with the hope of hooking ransomware into an organization for the purpose of extortion, while leveraging malicious service providers, is at the basic footprint of cybercrime today. What makes this group special or different remains to be seen for those of us on the outside of the reporting.”