An exhaustive analysis of FIN7 has unmasked the cybercrime syndicate’s organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks.
It has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware DarkSide, REvil, and LockBit families. The highly active threat group, also known as Carbanak, is known for employing an extensive arsenal of tools and tactics to expand its “cybercrime horizons,” including adding ransomware to its playbook and setting up fake security companies to lure researchers into conducting ransomware attacks under the guise of penetration testing. More than 8,147 victims have been compromised by the financially motivated adversary across the world, with a majority of the entities located in the U.S. Other prominent countries include China, Germany, Canada, Italy, and the U.K. FIN7’s intrusion techniques, over the years, have further diversified beyond traditional social engineering to include infected USB drives, software supply chain compromise and the use of stolen credentials purchased from underground markets. Put differently, the modus operandi of FIN7 boils down to this: It utilizes services like Dun & Bradstreet (DNB), Crunchbase, Owler, and Zoominfo to shortlist firms and organizations with the highest revenue. It also uses other website analytics platforms like MuStat and Similarweb to monitor traffic to the victims’ sites. Initial access is then obtained through one of the many intrusion vectors, followed by exfiltrating data, encrypting files, and eventually determining the ransom amount based on the company’s revenue.
To protect against ransomware attacks, organizations should:
• Regularly back up data, air gap, and password protect backup copies offline.
• Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location
• Install updates/patch operating systems, software, and firmware as soon as practical after they are released.
• Implement monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect threats and respond quickly.
• Use multifactor authentication where possible.
• Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes.
• Avoid reusing passwords for multiple accounts.
• Focus on cyber security awareness and training.
• Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.