The well-known cybercrime group FIN7 has reemerged, launching Cl0p ransomware in its first attack campaign since late 2021. Microsoft, which discovered the activity in April 2023, is monitoring the financially driven actor under its new classification system, Sangria Tempest. The company's threat intelligence team stated, "In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network." They added, "They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware."
FIN7, also known as Carbanak, ELBRUS, and ITG14, has been associated with other ransomware families such as Black Basta, DarkSide, REvil, and LockBit. The threat actor has acted as a forerunner for Maze and Ryuk ransomware attacks. Active since at least 2012, the group is notorious for targeting a wide range of organizations across various industries, including software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities.
Another distinctive tactic employed by FIN7 is the establishment of fake security companies – Combi Security and Bastion Secure – to recruit personnel for executing ransomware attacks and other operations. Last month, IBM Security X-Force disclosed that members of the now-defunct Conti ransomware gang are utilizing a new malware called Domino, developed by the cybercrime cartel. FIN7's use of POWERTRASH to deliver Lizar (also known as DICELOADER or Tirion) was also emphasized by WithSecure a few weeks ago in relation to attacks exploiting a high-severity vulnerability in Veeam Backup & Replication software (CVE-2023-27532) to gain initial access.
The latest development demonstrates FIN7's ongoing reliance on various ransomware families to target victims as part of a shift in its monetization strategy. The group is pivoting away from payment card data theft towards extortion, indicating an evolution in their approach to cybercrime.