Microsoft researchers have spotted the financially motivated cybercriminal group FIN7 deploying Cl0p ransomware. This ransomware-based attack by the group is perceived to be a switch in the attack tactics of this group. Previously, it was observed carrying out ransomware campaigns in late 2021 against U.S. firms using BadUSB devices.

What happened lately?

In its recent attacks, the FIN7 group used a PowerShell-based in-memory malware dropper called POWERTRASH to deploy a post-exploitation tool called Lizar on compromised systems.
  • It uses Impacket and OpenSSH to infiltrate targeted networks and move laterally to deploy Cl0p ransomware. 
  • The Impacket toolkit allows for remote service execution and relay attacks.
  • The Cl0p ransomware strain used in these attacks is one of the newest strains.

Other approaches by FIN7

According to a private report by Microsoft, FIN7’s return is not just marked with not just the new variant of Cl0p, but several other attacks and activities.
  • The group has been linked to other attacks aimed at PaperCut printing servers with Bl00dy, LockBit, and Clop ransomware.
  • More groups have been observed leveraging the tools used by FIN7. The financially motivated group FIN11 was observed using a new tool—the inv.ps1 PowerShell script, which is said to be used by the FIN7 group to deploy the Lizar toolkit.

What does it matter?

This dramatic return of FIN7 is noticeable due to a few other factors as well. Recently, some FIN7 members have been arrested,  including, Denys Iarmak (pen tester), Andrii Kolpakov (pen tester), and Fedir Hladyr (a high-level manager). Even after this arrest streak, the sudden increase in activities indicates that the hacking group is still active and going on stronger by the day.

Conclusion

FIN7 is a highly active threat and the deployment of Cl0p and other ransomware attacks shows its inclination toward amping up its operations. Therefore, organizations should know about the group's recent activities and tactics as early as possible. For protection, organizations should use a threat intelligence sharing platform to stay updated on the latest global and internal events in real-time.
Cyware Publisher

Publisher

Cyware