FIN11 APT Description
FIN11 APT is the designation given to a collective of hackers that have been operational since 2016. This particular group is characterized by having periods of extreme activity where it has been observed of carrying out up to five attack campaigns in a single week followed by periods when it is relatively dormant. FIN11 doesn't display much sophistication in its malware toolkit or attack procedures, but it makes up for it with sheer volume.
While most similar APT groups fail to sustain their existence for long, FIN11 has not only been operational for multiple years, but it has been undergoing constant change by expanding their preferred targets and switching the focus of their attacks. Between 2017 and 2018, FIN11 was concentrated on attacking a narrow group of entities, mostly those working in the retail, financial and hospitality sectors. However, the following year, the hackers showed no particular preference for an industry sector or geographical location when choosing their victims attacking indiscriminately.
At the same time, the hackers have been adapting to the shifting landscape of monetization trends among cybercriminal actors swiftly. Initially, FIN11 deployed Point-of-Sale (POS) malware before moving to ransomware attacks. In their recent activity, mostly in 2020, the group has adopted hybrid extortion. The hackers compromise their victims with CLOP Ransomware, but before the process's encryption is initiated, various data types from the targeted computers are exfiltrated to servers under FIN11's control. The victims are then presented with a difficult choice - pay ransom to the hackers and hopefully receive a working decryption tool or risk having potentially sensitive corporate or private data leaked online.
To create the infrastructure supporting their criminal activity, the hackers from FIN11 rely on numerous services provided by underground dealers. These services can range from hosting to the creation of malware tools, code signing certificates, and domain registration.
With their willingness to follow the most popular trends in cyberattacks, no particular focus on a group of targets, and demonstrated capacity to carry multiple phishing attacks at the same time, FIN11 could remain a potent threat for the foreseeable future.