In an era where digital threats are continuously evolving, the notorious FIN7 cybercrime syndicate is increasingly cementing its presence on the global stage. Researchers have unveiled the group’s distinctive organizational structure, extensive tactics, and deep ties within the broader cyber threat ecosystem. Recently, the syndicate has automated its attack system, further broadening its nefarious reach and fortifying its position as a major player in the ransomware landscape.
FIN7’s Sophisticated Tools and Intrusion Techniques
FIN7’s Auto-Attack System – ‘Checkmarks’
In the latest revelation, FIN7 has developed an automated attack platform called ‘Checkmarks.’ This system is designed to exploit Microsoft Exchange and SQL injection vulnerabilities, thereby enabling the group to breach corporate networks, pilfer data, and select targets for ransomware attacks based on financial size. It indicates the group’s growing adaptability and sophistication in its criminal operations.
Intrusion Techniques and Ransomware Tactics
FIN7 has been diversifying its tactics over time, employing strategies ranging from ATM attacks, hiding malware-carrying USB drives inside teddy bears, to setting up fake cybersecurity firms for ransomware attacks. Today, its strategy revolves around the careful selection of high-value companies already compromised, pressuring them to pay hefty ransoms or finding innovative ways to monetize their data and remote access. This targeted approach reflects a new level of sophistication in their illicit activities.
Global Reach and Victim Selection
FIN7’s activities span across the globe, with over 8,147 victims documented so far. The United States remains a primary target, but the group has also attacked businesses in China, Germany, Canada, Italy, and the U.K. New victims are automatically added to a central panel where FIN7 operators can see additional details about the compromised endpoint, demonstrating the group’s ambitions to expand its nefarious activities far and wide.
The Distinctive Modus Operandi of FIN7
Due Diligence and Target Evaluation
In an original approach, FIN7’s internal ‘marketing’ team scrutinizes new entries, collecting information from diverse sources like Owler, Crunchbase, DNB, Zoominfo, MuStat, and Similarweb to evaluate a firm’s size and financial status. They then add comments on the Checkmarks platform to list victims’ current revenue, number of employees, domain, headquarters details, and other information, aiding in determining whether the firm is worth the time and effort of a ransomware attack.
Post-Exploitation and Retargeting
Once the access is obtained, FIN7 follows a sequence of exfiltrating data, encrypting files, and then determining the ransom amount based on the company’s revenue. It also deploys SSH backdoors on compromised systems, even after a ransom is paid. This enables them to resell access to other ransomware groups and re-target victims in its illicit money-making scheme. By doing so, the group maximizes profits while exerting minimal effort.
Connections with Other Ransomware Gangs
Evidence suggests that FIN7 has links with multiple ransomware gangs, including Darkside, REvil, and LockBit. The retrieved Jabber logs reveal abundant evidence of communications with these groups, further indicating FIN7’s extensive affiliations within the cybercrime ecosystem.
The Organizational Structure of FIN7
Team Structure and Roles
Interestingly, FIN7 operates much like a traditional company, with a team structure that includes top-level management, developers, pentesters, affiliates, and marketing teams. These individuals are assigned specific roles and responsibilities, indicating a high level of organization within the syndicate.
Key Players and Coercive Practices
The key players of FIN7 include individuals named Alex (“The Manager”) and Rash (“The Tech Lead”), while another member named Sergey-Oleg (“The Targeter”) is tasked with overseeing the group’s operations. However, disturbingly, operators in administrative positions engage in intimidation and threats to ensure their team members’ compliance and deter them from shirking responsibilities.
Conclusion
FIN7 represents a major threat in the global cybercrime landscape, boasting an intricate organizational hierarchy, an innovative automated attack platform, and increasingly sophisticated ransomware tactics. It’s strongly recommended for admins to familiarize themselves with the group’s techniques and indicators of compromise (IOCs) to protect their networks against these escalating threats.
