FIN7 Cyber Gang Resurfaces with Cl0p Ransomware in New Wave of Attacks

May 20, 2023

The well-known cybercrime group FIN7 has reemerged, launching Cl0p ransomware in its first attack campaign since late 2021. Microsoft, which discovered the activity in April 2023, is monitoring the financially driven actor under its new classification system, Sangria Tempest. The company's threat intelligence team stated, "In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network." They added, "They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware."

FIN7, also known as Carbanak, ELBRUS, and ITG14, has been associated with other ransomware families such as Black Basta, DarkSide, REvil, and LockBit. The threat actor has acted as a forerunner for Maze and Ryuk ransomware attacks. Active since at least 2012, the group is notorious for targeting a wide range of organizations across various industries, including software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities.

Another distinctive tactic employed by FIN7 is the establishment of fake security companies – Combi Security and Bastion Secure – to recruit personnel for executing ransomware attacks and other operations. Last month, IBM Security X-Force disclosed that members of the now-defunct Conti ransomware gang are utilizing a new malware called Domino, developed by the cybercrime cartel. FIN7's use of POWERTRASH to deliver Lizar (also known as DICELOADER or Tirion) was also emphasized by WithSecure a few weeks ago in relation to attacks exploiting a high-severity vulnerability in Veeam Backup & Replication software (CVE-2023-27532) to gain initial access.

The latest development demonstrates FIN7's ongoing reliance on various ransomware families to target victims as part of a shift in its monetization strategy. The group is pivoting away from payment card data theft towards extortion, indicating an evolution in their approach to cybercrime.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.