Understanding how cybercrime group FIN7 has evolved into a major ransomware player

David Strom 8 Apr 2022

These developments go to show that ransomware continues to attract criminals and steal funds.

Malware group FIN7 is once again on the move, leveraging software supply chains, remote program execution methods, and stolen credentials to deliver ransomware to enterprise networks. The group has been around since at least 2015. Initially, the gang made its reputation by maintaining persistent access at target companies with its custom backdoor malware, and for targeting point-of-sale systems with credit card skimmer software.

FIN7 is known by various names, including Carbanak and the Navigator group. More insidiously, the group has posed as fake infosec consultants, taking on names such as Combi Security and recently, with a new fake company called Bastion Secure. One legit security analyst was recruited by Bastion, and you can read about the whole sordid process and the subsequent investigation showing the lengths that FIN7 goes to disguise itself and its criminal intentions. This enabled the analysts to review the malware source code and further understand the groups tactics to better track their perfidy.

The group has had its ups and downs. In 2018, FIN7 compromised the networks of Saks Fifth Avenue and Lord & Taylor stores and subsequently sold data from over 5M payment cards on the dark web. In June 2021, there was a major break for law enforcement when a mid-level supervisor pled guilty to conspiracy charges and a seven-year jail term and $2.5M fine for restitution. The man was arrested in Spain in 2018 and extradited to the US the following year. Finally, just this month, another individual was sentenced to five years in prison for their work as a "high-level hacker" in the group.

Earlier this year, the group tried this old chestnut of sending infected USB memory sticks in the mail. They appeared to originate from the US Department of Health and Human Services or Amazon and contained the BadUSB malware, which can be used for remote program execution or to inject other malware to a victim’s PC.

Ransomware continues to attract criminals and steal funds

FIN7 has moved into ransomware using Revil, Darkside, and Blackmatter attacks. One of their go-to tools is called PowerPlant, which has been under development by the group for several years and been used in numerous 2021 attacks. The group has specialized in PowerShell programs and unique commands that can be tracked across malware infections. PowerPlant is a vast framework of backdoor entry points and numerous add-on modules that can be used for network reconnaissance, remote control, and to bypass Windows malware scans.

Further reading:
Changes in the ransomware landscape
The rise of ransomware as a service

There are several defensive measures that you should take to avoid ransomware, including locating all of your business-critical data and ensuring not only that it is backed up but that you can restore these backups.

You should have a battle-tested incident response plan that has an appropriate recovery time objective and audit all of your cloud data and workloads for the appropriate security and credentials. Also, carefully review your remote desktop credentials and use MFA to secure these and other sensitive logins.

Finally, don’t insert any random USB sticks in your computer that you get in the mail or find on the street!

--> -->