FIN7 is a unique group in the shady world of cybercrime. Infamous for sophisticated stolen credit and debit card hacks involving phishing emails and other social engineering methods, the gang’s threat actors deploy a range of constantly evolving tactics to steal money; the latest of those tactics is ransomware. This article overviews FIN7’s operations.

FIN7: Operational Analysis

FIN7 is a large-scale cyber gang with more than 70 employees organized into different business units. Some units develop malware to infect point-of-sale (POS) systems and help steal payment card information. Other units focus solely on the task of crafting convincing phishing emails that entice unsuspecting people into opening malicious attachments.

FIN7 gained infamy for a series of attacks on banks and financial institutions starting in 2013. While no official figures are available, some sources claim the gang managed to steal $900 million using hacking methods that targeted ATM networks. After establishing command and control, the threat actors instructed ATMs to dispense cash, which money mules collected and transferred to FIN7’s members’ bank accounts. Some security researchers aren’t quite certain that FIN7 was behind this set of attacks on banks, and there may have been another entity involved.

The gang gained further notoriety during 2015 for multiple attacks on retail outlets, hotels, casinos, fast-food restaurants, and other businesses with high volumes of POS transactions. After establishing a foothold into a network using a malicious email attachment, FIN7 threat actors installed Carbanak malware, which helped harvest card details from well over 6,500 POS systems.

FIN7’s initial operations were so prolific that businesses in all 50 US states became victims of these attacks. Estimates put the total number of stolen payment cards at 16 million. Typically, threat actors listed these stolen card details for sale on dark web marketplaces. People who bought the stolen cards used them to make standard online retail purchases or to purchase gift cards.

FIN7 On the Ransomware Bandwagon

FIN7 is a prime example of the opportunism at play in the world of cybercrime. Threat actors alter and evolve their attack methods in line with what works and what’s most profitable. FIN7 appears to have jumped on the ransomware bandwagon within the last couple of years. Given FIN7’s propensity for financially motivated attacks, it’s not a big surprise to see the gang shift to ransomware to further increase profits.

An investigation by Truesec in December 2020 detailed a cyber-attack in which typical FIN7 tools, including the Cabarnar remote access trojan, were used to establish a foothold in a victim’s network. In the same attack, threat actors installed Ryuk ransomware on the victim’s computers. Ryuk runs a prolific ransomware-as-a-service operation, and FIN7 threat actors may well have signed up as affiliates in what looks like a particularly dangerous partnership.

In a bizarre attempt to recruit security professionals to carry out parts of their ransomware operations, FIN7 leaders created a fake penetration testing company named Bastion Secure. The recruitment phase for job advertisements at the phony company involved applicants conducting a real penetration test on one of Bastion Secure’s “customers”. Instructions to applicants told them to specifically use tools that couldn’t be detected by security software and to check for file backups once inside the network.

A more recent update about FIN7’s ransomware operations came in January 2022. The FBI warned that FIN7 threat actors began sending malicious USB drives to a range of businesses in August 2021. These drives were packaged to look like they came from legitimate sources, such as Amazon, and they included a thank you letter. Other drives were packaged to look like they contained Covid-19 related information shipped by the US HHS.

When an unsuspecting employee inserts the drive into their computer, the malicious USB loads itself on the computer as a keyboard. Preconfigured keystrokes execute PowerShell scripts that install backdoors into the network. Eventually, threat actors deploy ransomware strains including REvil and BlackMatter.

FIN 7 Arrests

In February 2021, Fedir Hladyr, a Ukrainian national, received a ten-year prison sentence for his role as the systems administrator for FIN7. German police arrested Hladyr three years previously in Dresden and they extradited him to the United States. The Ukrainian played a key role in FIN7’s operations, but such is the large-scale nature of the gang’s operations that losing a key member didn’t stop the threat actors in their tracks. Two other Ukrainian members of FIN7 were also arrested around the time of Hladyr.

Elaborate Phishing Schemes

Phishing emails underpinned the success of FIN7’s cyber-attacks. With an entire unit of the gang dedicated to crafting phishing schemes, it’s easy to see how they managed to lure some victims into opening their malicious email attachments. Without this social engineering ability to gain an initial entry point into victims’ networks, none of the more sophisticated tactics used by the gang would have succeeded.

A US government document features two examples of FIN7 phishing emails. In one case, a restaurant worker opened a malicious attachment from an email claiming to be a customer order. The email body states that “the enclosed document contains the order and my personal info”. While a seasoned security professional wouldn’t have opened this attachment, restaurant workers are not typically security aware. Choosing the right targets is as much a factor in FIN7’s phishing success as choosing the right message.

Regardless of the target or the message, stopping elaborate phishing schemes in their tracks calls for advanced email security solutions. Educating employees in recognizing the signs of phishing is useful, but an advanced email security solution provides the defense needed to accurately detect and mitigate phishing threats.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at https://ironscales.com/get-a-demo/.