FIN11, which is related to TA505, is a low-effort group that relies on malware spam campaigns for initial entry but shows enough desperation to scale its operations.
What has happened?
Financially motivated FIN11 has been increasingly using Clop ransomware in its recent operations since 2020. Throughout 2020, the e-crime group observed to be following a certain pattern in their separate campaigns.
- In its attacks, it spams potential victims by using phishing emails around workweek and then sifting via those who clicked on the malicious link to decide the most attractive corporate targets for further action.
- The group uses a wide net during its phishing operations, then chooses potential victims for exploitation based on characteristics such as geolocation, sector, or considering their security posture.
- In recent FIN11 Clop attacks, the attackers targeted a victim with a unique variation of the ransomware. More than a dozen different Clop ransomware samples were used by the group so far.
Many of the recent ransom notes from FIN11 specifically name data stolen from workstations that belong to top executives of compromised organizations to increase their chances of getting the ransom.
A shift in monetization methods
- The FIN11 group is shifting its monetization methods from point-of-sale (POS) malware in 2018 to ransomware in 2019, and then extortion in 2020.
- They are now more focused on data-theft and post-compromise ransomware deployment.
Just like the FIN11 group, most threat actors keep changing their tactics to maintain their edge and cause more damage to targets while they mint money. To protect organizations from increasing risks of such attacks, experts suggest implementing adequate security measures such as backing up important data, updating the systems, and providing training to employees about malware-laced phishing attacks.