Card Not Present Fraud , Cybercrime , Fraud Management & Cybercrime

Report: FIN6 Shifts From Payment Card Theft to Ransomware

FireEye Finds Cybercrime Group Is Adding LockerGoga, Ryuk Ransomware to Its Arsenal
Report: FIN6 Shifts From Payment Card Theft to Ransomware

FIN6, a cybercrime group that has focused on attacking point-of-sale devices to steal credit card numbers, now also is waging ransomware attacks that target businesses with either LockerGoga or Ryuk, according to a new analysis from security firm FireEye.

See Also: Check Kiting In The Digital Age

Since 2016, FIN6 has been stealing credit card data to sell on the darknet to other groups looking to commit fraud. By targeting the hospitality and retail industries, the group is believed to have collected about 20 million payment cards worth $400 million, FireEye reports.

Security researchers at several firms, including IBM, have concluded that FIN6 has ties to Russia.

Now, FIN6 - or at least some members associated with cybercriminal gang - have begun to switch tactics, deploying ransomware throughout the networks that they are attacking, FireEye researchers note in a blog.

Newer Ransomware Strains

One strain of ransomware that FIN6 is using, according to FireEye, is Ryuk, which was used against the Chicago-based Tribune Publishing company in late 2018. The other is Lockergoga, the ransomware used against the Norwegian firm Norsk Hydro in March, causing at least $40,000 in financial damage. It's also suspected in other attacks in Europe and the U.S., according to security researchers.

The reason for using these newer strains of ransomware might be that the FIN6 group is attempting to evade security protections that have been put in place to guard against more well-known, widely deployed malware, FireEye tells Information Security Media Group.

"Given that this ransomware is being manually deployed post-compromise and needs only the barest functionality (encrypt files, drop ransom note, evade anti-malware protections), the benefit of using a malware that is largely unknown and for which anti-malware detections are poor likely outweighs the benefit of [using other] well-known ransomware that may be better detected or integrate unnecessary functionality," FireEye says in a statement provided to ISMG. "FIN6 may believe that Ryuk and LockerGoga have lower prevalence and therefore might be less likely to be detected."

The report also notes: "FireEye has observed what appears to be a gradual decline in the volume of FIN6-attributable point-of-sale intrusions preceding this shift, but we can definitely not rule out the possibility that this activity is ongoing in parallel. FIN6 typically monetizes intrusions. Targeting payment card data limits the scope of potential targets and requires additional time and resources."

Making the Switch

FireEye researchers have traced FIN6's shift to ransomware attacks to sometime in 2018, and they believe this has cost businesses that have been targeted "several millions of dollars" in ransom payments so far.

The group has been less frequently using its original attack method - targeting POS machines, installing malware dubbed Trinity (or FrameworkPOS), moving laterally through the network and stealing credit card data.

FIN6's ransomware and POS attacks use similar techniques, FireEye reports.

Typically, the group targets systems that are internet-facing. By using stolen credentials, the cybercriminals then move laterally through the network by taking advantage of Microsoft Windows' Remote Desktop Protocol.

These types of intrusions can carry on for a year, FireEye reports. Once inside the network, the group can use several techniques to establish a foothold and to move laterally.

One technique is taking advantage of PowerShell to execute an encoded command, which FireEye researchers identified as Cobalt Strike, a piece of malware that provides backdoors and can download additional malware, according to FireEye.

Another technique is to create a Windows service by using Metasploit, an open source penetration testing toolkit. This then creates a reverse HTTP shellcode payload, which communicates with a command-and-control server. It then requests an additional download, FireEye reports.

Through studying these techniques and the way the group moves laterally through a network, the FireEye researchers found that FIN6 was leaving instructions to download Ryuk or LockerGoga into the infected network.

Guarding Against an Attack

As for how to better protect networks from these types of attacks - whether they're designed to steal credit card data or plant ransomware - FireEye advises organizations to restrict or minimize the ability for workstation-to-workstation communication through Server Message Block Protocol protocols, ensure local administration passwords are unique and determine if all systems are updated with the latest security patches.

FireEye also recommends developing a business continuity and disaster recovery plan to ensure files are backed up in case of ransomware attack. This can allow an enterprise to access critical files if they have been encrypted during the attack.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.