Microsoft has discovered that the group is working in collaboration with other dangerous threat actors.
The famous cybercrime group FIN7, also known as Carbanak, ELBRUS and Sangria Tempest, has resumed its activities after a long break. In April 2023, Microsoft discovered that the group was using Clop to attack various organizations. This is the first ransomware distribution campaign since the end of 2021.
According to Microsoft, the attackers use a PowerShell script called POWERTRASH to download the Lizar (aka DICELOADER or Tirion) post-exploitation tool and gain access to targeted networks. They then use OpenSSH and Impacket to navigate the network and deploy the Clop ransomware.
FIN7 has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit.
FIN7 has been active since 2012 and specializes in stealing banking data and information from payment terminals. The group attacks a wide range of organizations from different industries, including software, consulting, financial services, medical equipment, cloud services, media, food processing, transportation and utilities.
The group also employs unusual tactics, such as setting up fake cybersecurity companies - Combi Security and BastionSecure - to hire employees to carry out attacks and other operations.
IBM Security X-Force reported last month that members of the now-defunct Conti group are using new malware called Domino, which is developed by a cybercrime cartel.
The use of FIN7 POWERTRASH to deliver Lizar was also noted by WithSecure a few weeks ago in connection with attacks exploiting a serious vulnerability in Veeam Backup & Replication software (CVE-2023-27532) to gain initial access.
The latest development suggests that FIN7 continues to rely on various families of ransomware to attack victims as part of its shift in monetization strategy from payment data theft to ransomware.
In October 2021, FIN7 started using the RaaS (ransomware-as-a-service) model as it proved to be profitable for most hackers. Cybersecurity researchers at Mandiant have discovered that FIN7 has until recently been used to fund operations related to REvil, DarkSide, BlackMatter and BlackCat. But now the group intends to develop its own version of the ransomware.
FIN7 is believed to have been behind the 2021 Colonial Pipeline attack, which led to fuel shortages in the eastern United States. Also according to the FBI, FIN7 members are highly skilled hackers based in Russia.