FIN11 Spun Out From TA505 Umbrella as Distinct Attack Group
FIN11 is a new designation for a financially motivated threat actor that may previously have been obscured within the activity set and group usually referred to as TA505. Although there are similarities and overlaps in the TTPs of both groups, researchers have discovered enough differences to separate the groups.
TA505 is largely defined by its large-scale phishing campaigns. It has distributed Dridex and dropped multiple types of ransomware, including GlobeImposter and Philadelphia. The group now defined by Mandiant (FireEye) Threat Intelligence researchers as FIN11 similarly uses large-scale phishing campaigns, but is primarily defined by its unique use of the CLOP ransomware. The researchers also believe that the code families known as FlawedAmmyy, FRIENDSPEAK and MIXLABEL are unique to FIN11.
It is possible that some earlier attacks attributed to TA505 were actually undertaken by FIN11 — especially those that used any of the malware now uniquely attributed to FIN11. Examples could include the use of FlawedAmmyy and the CLOP ransomware. An example of the latter could be the CLOP ransomware attack in December 2019 against the University of Maastricht (Netherlands); although Kimberly Goody, FireEye’s manager of cyber crime analysis said that she could not confirm this without first seeing the attack forensics.
“I would think of TA505 as a really big umbrella, while FIN11 is a portion of that activity,” she said. “So, the TA505 attribution isn’t necessarily incorrect, it’s just another name that other companies use for this activity. We would caution against just saying we attribute that attack to FIN11 because we don’t have the technical artifacts. We need to see the full life cycle of the tactics and malware that attackers use within an environment before we would make an attribution.” Nevertheless, it is tempting on the basis of this new report to suggest that the Maastricht attack would be better attributed to FIN11 than to TA505.
FIN11 primarily now focuses its efforts on ransomware and extortion. “Recent FIN11 intrusions have most commonly led to data theft, extortion and the disruption of victim networks via the distribution of CLOP ransomware,” say the FireEye researchers in their report. This demonstrates FIN11’s willingness and ability to change tactics over time. “In 2018,” Goody told SecurityWeek, “we saw FIN11 deploying point of sale malware. But in 2019, they pivoted towards CLOP and ransomware.” This shift from POS to extortion was quite common with other groups during the same timeframe — Mandiant saw an increase in ransomware of around 300% over the same period.
It isn’t known how many organizations have fallen victim to FIN11 because of the apparently growing tendency for victims to simply pay for a decryption key. This can be assumed because of the rapidly increasing ransomware demands. While the Dutch university paid $240,000, it seems that this month’s attack on Software AG may have been accompanied by a demand for $23 million. It is unlikely that the demands would have increased to this extent if lower demands were not being met.
The CLOP group engages in what is sometimes referred to as ‘double extortion‘. Before encrypting data, the gang steals it. If the victim fails to pay the decryption fee, the gang then threatens to release the stolen data if payment is not received. Data is released via the gang’s dark website called CL0P^_- LEAKS. While we don’t necessarily know how many CLOP victims have paid a ransomware, this site gives a good indication of victims that have declined to pay.
The CL0P^_- LEAKS website suggests that there have been FIN11 victims in North America, India and Europe. The majority are located in Europe, and about half of those in Germany. “FIN11,” say the researchers, has used German-language lures in many of their 2020 campaigns, suggesting that they have actively targeted German organizations.” This is slightly unusual, since ransomware attackers more usually target American firms above others. FireEye does not believe that the gang specifically targets either operations or IT. It told SecurityWeek that the malware includes many process killers across both IT and OT, suggesting that the CLOP gang simply tries to extort from wherever it lands.
The lack of victims in Commonwealth of Independent States (CIS) countries is part of the reason that FireEye believes the CLOP gang operates out of this region. It is generally considered that the Russian government largely turns a blind eye towards cybercriminals that do not operate within Russia or the associated CIS. This is further supported by FIN11 files containing metadata suggesting that the operators are using a language with a Cyrillic alphabet, and a dramatic drop in activity during the Russian New Year holiday and Orthodox Christmas (January 1-8). Further clues include the use of Russian language resource files by some of the malware, and some of the phishing emails using a Cyrillic language code page.
The CLOP group seems to combine the spray and pray approach to compromising targets with a more targeted approach. It operates large scale phishing campaigns, but then selects which of the networks it compromises to target for monetization. “Once access to a company’s network has been obtained,” write the researchers, “FIN11 may selectively choose whether the access is worth exploiting based on criteria such as their geolocation, sector or perceived security posture.” This selection may indicate that the gang is only interested in targeting wealthier organizations, especially if they are likely to have very sensitive or personal data, or it may simply be a capacity issue. FireEye warns that this may prompt the CLOP group to effectively sub-contract exploitation of those victims it doesn’t exploit itself to other criminal groups in order to maximize its revenues.