The long-running cybercrime group FIN7, known for breaking into payment systems and corporate networks, has been moving into ransomware operations, according to researchers at security firm Mandiant.
The company said it has identified increased data-theft extortion or ransomware deployment associated with FIN7 attacks in recent years. Ransomware strains used in connection with the group’s operators include Maze, Ryuk and ALPHV — also known as BlackCat — the researchers said Monday.
“Throughout their evolution, FIN7 has increased the speed of their operational tempo, the scope of their targeting, and even possibly their relationships with other ransomware operations in the cybercriminal underground,” researchers note.
Experts noted a major indicator that the group was transitioning into ransomware in the fall when researchers at Recorded Future unmasked a company called Bastion Secure as a front for the group’s efforts to hire hacking talent. Researchers believe that FIN7 was responsible for the software behind the hack of major East Coast fuel provider Colonial Pipeline by ransomware group DarkSide. Mandiant’s research also connects FIN7 to DarkSide.
FIN7 gained notoriety for a spree of campaigns starting in 2014 that helped the group rack up more than $1 billion in stolen funds from more than 100 companies internationally. The group’s methods have ranged from hacking into point-of-sale systems to posing as government officials to trick employees into opening malware.
But the group suffered some setbacks after U.S. officials nabbed two of FIN7’s top leaders. The United States prosecuted one leader of the gang, Ukrainian Andrii Kolpakov, in 2021. Kolpakov oversaw a team of hackers who between 2016 and 2018 breached U.S. corporations including Chipotle, resulting in huge losses. Another member, Denys Iarmak, pleaded guilty to federal charges in November.
Also new to FIN7’s technique is the group’s use of supply chain compromise to gain additional system access, Mandiant said. In one case, FIN7 actors compromised a website that sells digital products and modified multiple download links to point to an Amazon S3 bucket hosting a malware installer. Hackers then later remotely deployed Powerplant, a “vast backdoor framework with a breadth of capabilities” researchers describe as unique to FIN7.