It’s been about three years since Mandiant has graduated a new FIN group, however, it’s fitting that FIN11 will be promoted given it has conducted some of the largest and longest-running malware distribution campaigns that Mandiant has seen among FIN groups to date and that its operations have targeted a wide variety of sectors and geographic regions. The financial crime group has also recently focused on ransomware and extortion as intrusive ransomware operations have sharply climbed in popularity with cybercriminals.
Here’s are a few highlights from the report to get you started:
- FIN11 is a newly graduated, financially motivated threat group that Mandiant Threat Intelligence assesses with moderate confidence is operating out of Commonwealth Independent States (CIS) nation.
- FIN11 has impacted organizations in a wide variety of sectors and regions, globally. For example, in a single week, Mandiant observed campaigns targeting the pharmaceutical industry, shipping and logistics companies, organizations in North America and Europe, and German and Italian-language speakers. In addition to corporations, FIN11 has targeted entities such as academic institutions, government agencies, and public utilities.
- Active since at least 2016, FIN11 has used widespread phishing campaigns to distribute malware. When active, FIN11 generally conducts multiple phishing campaigns a week, each with thousands of emails, and every month or so they modify their delivery tactics.
- As of late, the group has been using hybrid extortion to monetize their operations. They deploy CLOP ransomware and threaten to release exfiltrated data in order to pressure their victims to paying extortion demands. These demands have ranged from a few hundred thousand dollars to as much as $10 million USD.
The blog link will be https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html