Meet FIN11, a cybercrime outfit going after pharma companies while leaning on extortion

Written by Tim Starks

Researchers have pieced together details about a newly-identified, financially-motivated hacking group they say is behind bold, large and long-running malware campaigns.

And it’s only getting worse: The hackers have expanded their range of targets the past two years while using increasingly aggressive ransomware attacks, according to research published Tuesday by FireEye’s threat intelligence unit, Mandiant.

The company dubbed the group FIN11, a designation it gives financial crime groups. That makes it the first group to get the FIN label since FIN10 three years ago.

The hackers are notable for “removing the last vestiges of restraint” in their ransomware and extortion targeting, said John Hultquist, senior director of analysis for Mandiant Threat Intelligence, a unit of FireEye. They’ve gone after pharmaceutical companies and other health care targets during the COVID-19 pandemic.

More broadly, the health care industry has encountered a barrage of attacks from hackers during the pandemic, including ransomware attacks that authorities say have hit hospitals and health care conglomerates and attempts to hack companies working on a COVID-19 vaccine. And among FIN groups identified to date, FIN7 — blamed for allegedly stealing $1 billion from U.S. victims — might be the most notorious.

FIN11 didn’t begin as a ransomware operation, researchers said. But as the practice has become more lucrative, FIN11 has adopted the digital extortion technique, demanding ransoms of up to $10 million after locking victims’ systems and threatening to release data unless they pay.

“They’re clearly undeterred and willing to not only take all this money and disrupt their operations, but publicly embarrass and extort them,” Hultquist said.

From 2017 to 2018, FIN11 mostly targeted the financial, retail and restaurant sectors. In 2019 and 2020, it got less choosy and more prolific, mostly using generic email lures such as “bank statement” or “invoice” to trick targets, but sometimes tailoring its lures by region and language. Mandiant has observed successful attacks in North America, Europe and elsewhere.

Mandiant has “moderate” confidence that the group is based in the largely Russian-speaking Commonwealth of Independent States, but couldn’t narrow it to a specific nation, Hultquist said.

While FIN11 has been active since 2016, its tactics and techniques overlap with the group known as TA505 that’s been around since at least 2014. Nonetheless, “we have not attributed TA505’s early operations to FIN11 and caution against conflation of the two clusters,” Mandiant said in its full report on FIN11.

Source link

Recent articles

FIFA World Cup 2022™ – News – FIFA World Cup 2022™ First Sustainability Progress Report published

The FIFA World Cup 2022™ First Sustainability Progress Report provides an update on the progress made by FIFA, the...

Google Antitrust Fight Thrusts Low-Key C.E.O. Into the Line of Fire

OAKLAND, Calif. — When Sundar Pichai succeeded Larry Page as the head of Google’s parent company in December, he was handed a bag...

How do I know if grad school is worth it?

College enrollment is down overall compared with last year due to the coronavirus. But the economic effects of the pandemic may actually be...

Nike Moto

Source link

Iranian Fokker 100 engine parts penetrate cabin after uncontained failure | News

Iranian investigators are probing the serious uncontained failure of a Fokker 100 engine which forced the crew to abort take-off from Tehran’s Mehrabad...

Leave a reply

Please enter your comment!
Please enter your name here