FIN11: A Widespread Ransomware and Extortion Operation

FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft

• FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion.
• Their shift is emblematic of the changing nature of cyber criminal activity, which has become increasingly aggressive and difficult to ignore.
• Intrusive ransomware operations have sharply climbed in popularity with cyber criminals such as FIN11, supplanting other monetization schemes such as point-of-sale malware compromise.
• FIN11’s brazenness was evident when they targeted pharmaceutical companies in early 2020, a time during which these organizations were especially vulnerable.

Overview

FIN11, a financially motivated threat group, has conducted some of the largest and longest running malware distribution campaigns Mandiant researchers have observed among financially motivated threat actors to date. In addition to high-volume malicious email campaigns, FIN11 is also notable due to their consistently evolving malware delivery tactics and techniques. Mandiant consultants have responded to multiple incidents where FIN11 has been observed monetizing their access to organizations’ networks. Recent FIN11 intrusions have most commonly led to data theft, extortion and the disruption of victim networks via the distribution of CLOP ransomware. In at least one case, FIN11 previously deployed point-of-sale (POS) malware to at least one victim environment, suggesting a flexible and evolving approach to their intrusion operations.

Mandiant analysts primarily define FIN11 by campaigns observed since 2016 that use code families believed to be exclusive to the group (FlawedAmmyy, FRIENDSPEAK, MIXLABEL) as well as other overlapping tactics and techniques. There are notable overlaps between FIN11 and an activity set that security researchers call TA505. This term has been widely used in the security community to discuss large-scale spam campaigns which date to 2014 and have distributed various families including Dridex and multiple types of ransomware. FIN11 includes a subset of the activity publicly tracked as TA505, as well as an evolving arsenal of post-compromise tactics, techniques and procedures (TTPs) that have not been publicly reported on TA505. Notably, we have not attributed TA505’s early operations to FIN11 and caution against conflation of the two clusters.