The FIN6 cybercrime group was recently known for only hacking retailers and stealing payment information from Point of Sale (POS) systems until recently, when they evolved their tactics to include the deployment of ransomware to infect networks around the internet.
FIN6 have forged a reputation of being one of the most advanced groups of hackers currently active on the internet. Their activities were first spotted around the spring of 2016, with a report by FireEye published to detail the extensive range of attacks and capabilities deployed by the group of cybercriminals.
Back in 2016, FIN6 developed a POS malware strained called Trinity that possessed versatility that allows it to hack into major retailer networks, moving across their systems. They managed to deploy Trinity on computers that handle the POS data of these businesses, extracting payment data and card details they can later use on their own servers.
The group is making money by using this stolen data and payment details on hacking forums, using that to generate their revenue.
According to a recent report published on April 5th by FireEye, the group is now also deploying ransomware on some of those hacked networks, specifically ones that don't handle POS data at all.
The group wasn't working on dropping the LockerGoga and Ryuk ransomware strains since July of 2018, with both of those being focused on a wave of high profile infections that have been aimed at large companies, government agencies and the like, with Norsk Hydro being the most recent victim.
IBM, CrowdStrike, Kryptos Logic, Cybereason, FireEye and McAfee all came to the conclusion the group may be operating from outside of Russia, somewhere where their infrastructure is rented from other groups, such as TrickBot and Emotet. This allows them to search for large companies to infect with their malware of choice, be it Ryuk, Trinigy or LockerGoga.
Are FIN6 considered a Ransomware-First group now?
In the most recent reports on FIN6 activities, FireEye reported the change in tactics moving from the use of the Trinity malware to the LockerGoga and Ryuk ransomware. What the analysts noticed, but couldn't say with certainty is whether this is the new modus operandi of the group or if some of the members of the group are doing their own thing independently.
Despite that, FIN6 made it so that companies and governments need to stay on their toes regardless, especially due to recent developments.