A hacker gang that usually focuses its efforts predominantly on financial cybercrime has switched its usual strategies for ransomware, attracted by the potentially larger and easier-to-obtain rewards.

Until now, the far-reaching hacker group, which has been operating since 2016, typically employed tried and tested campaigns involving phishing emails loaded with POS malware. The group’s new move of employing ransomware tactics is a significant sign of how successful this type of cyber extortion method has become for criminal outfits seeking to make money.

Named FIN11, the new campaign has been recorded and detailed by cybercrime researchers from FireEye Mandiant. The cybersecurity experts have described the threat operators as “well-established”, commenting they are a crime group responsible for some of hacking’s longest-running campaigns.

Analyst for Mandiant Threat Intelligence, Genevieve Stark, commented:

“FIN11 has likely shifted their primary monetisation method to ransomware deployment because it is more profitable than traditional methods such as deploying POS malware. Ransomware also increases the potential victim pool since it can be deployed at nearly any organisation while POS malware is only effective against certain targets.”

Previous attack strategies recorded

The hacker gang began with targeted attacks on retailers, restaurants and banks, but has diversified in recent years, attacking a far wider spectrum of sectors across many different destinations all over the world. The gang’s modus operandi has typically been to conduct attacks on multiple organisations simultaneously via a torrent of phishing emails, often entering the thousands.

In one week alone, experts at Mandiant observed and recorded multiple active campaigns where assorted victims included logistics, shipping and pharmaceutical firms based across two continents – Europe and North America.

Despite the strategy of attacking organisations concurrently, for the most part the group’s inciting phishing campaigns predominantly feature customisation to suit individual targets. The reason for this is to increase the likelihood that a chosen victim will download their malicious attachment, leading eventually to backdoor access.

FIN11 cybercrime campaigns seen previously commonly aimed to acquire data files, to either exploit for their own use as part of further criminal activities, or to sell to the highest bidder on the dark web.

A rewarding move to ransomware

FIN11 is now using its expansive network to deliver ransomware to vulnerable networks that have been compromised. Its recent forays have seen Clop ransomware and payments demanded in bitcoin favoured. The new group’s new objective would appear to be making large quantities of money quickly from a broader selection of victims.

Stark observed:

“FIN11’s adoption of data-theft and extortion to increase leverage on victims is further evidence that their motivations are exclusively financial. We anticipate that FIN11 will continue to conduct widespread phishing campaigns with consistently evolving delivery tactics for the foreseeable future.”

The hacker group’s attacks, so far using ransomware, have been manifold and largely successful, but companies looking to safeguard their data and interests from campaigns devised by FIN11 and other threat operators should follow advice on cybersecurity, and keep network patches constantly updated to stop attackers exploiting them.