Names | FIN11 (FireEye) | |
Country | [Unknown] | |
Motivation | Financial crime, Financial gain | |
First seen | 2016 | |
Description | (FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion. Notably, FIN11 includes a subset of the activity security researchers call TA505, Graceful Spider, Gold Evergreen, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations. | |
Observed | Sectors: Defense, Education, Energy, Financial, Hospitality, Retail, Telecommunications, Technology, Transportation. Countries: Australia, Austria, Canada, Germany, India, Netherlands, New Zealand, Singapore, Spain, UK, USA. | |
Tools used | Amadey, AndroMut, AZORult, BLUESTEAL, Clop, EMASTEAL, FlawedAmmyy, FLOWERPIPE, FORKBEARD, Get2, JESTBOT, Meterpreter, MINEBRIDGE, MINEDOOR, MIXLABEL, NAILGUN, POPFLASH, SALTLICK, SCRAPMINT, SHORTBENCH, SLOWROLL, SPOONBEARD, TinyMet, VIDAR. | |
Operations performed | Dec 2019 | Ransomware attack on Maastricht University <https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/> |
Mar 2020 | U.S. pharmaceutical giant ExecuPharm has become the latest victim of data-stealing ransomware. ExecuPharm said in a letter to the Vermont attorney general’s office that it was hit by a ransomware attack on March 13, and warned that Social Security numbers, financial information, driver licenses, passport numbers and other sensitive data may have been accessed. But TechCrunch has now learned that the ransomware group behind the attack has published the data stolen from the company’s servers. <https://techcrunch.com/2020/04/27/execupharm-clop-ransomware/> | |
Oct 2020 | Software AG IT giant hit with $23 million ransom by Clop ransomware <https://www.bleepingcomputer.com/news/security/software-ag-it-giant-hit-with-23-million-ransom-by-clop-ransomware/> | |
Dec 2020 | Global Accellion data breaches linked to Clop ransomware gang <https://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/> | |
Dec 2020 | Singtel, QIMR Berghofer report Accellion-related data breaches <https://www.bleepingcomputer.com/news/security/singtel-qimr-berghofer-report-accellion-related-data-breaches/> | |
Dec 2020 | New Zealand Reserve Bank breached using bug patched on Xmas Eve <https://www.bleepingcomputer.com/news/security/new-zealand-reserve-bank-breached-using-bug-patched-on-xmas-eve/> | |
Jan 2021 | Australian securities regulator discloses security breach <https://www.bleepingcomputer.com/news/security/australian-securities-regulator-discloses-security-breach/> | |
Jan 2021 | Data breach exposes 1.6 million Washington unemployment claims <https://www.bleepingcomputer.com/news/security/data-breach-exposes-16-million-washington-unemployment-claims/> | |
Feb 2021 | Hacker Claims to Have Stolen Files Belonging to Prominent Law Firm Jones Day <https://www.wsj.com/articles/hacker-claims-to-have-stolen-files-belonging-to-prominent-law-firm-jones-day-11613514532> | |
Feb 2021 | Clop ransomware gang leaks online what looks like stolen Bombardier blueprints of GlobalEye radar snoop jet <https://www.theregister.com/2021/02/23/bombardier_clop_ransomware_leaks/> | |
Feb 2021 | Kroger data breach exposes pharmacy and employee data <https://www.bleepingcomputer.com/news/security/kroger-data-breach-exposes-pharmacy-and-employee-data/> | |
Mar 2021 | Cybersecurity firm Qualys is the latest victim of Accellion hacks <https://www.bleepingcomputer.com/news/security/cybersecurity-firm-qualys-is-the-latest-victim-of-accellion-hacks/> | |
Mar 2021 | Ransomware gang leaks data stolen from Colorado, Miami universities <https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-stolen-from-colorado-miami-universities/> | |
Mar 2021 | Energy giant Shell discloses data breach after Accellion hack <https://www.bleepingcomputer.com/news/security/energy-giant-shell-discloses-data-breach-after-accellion-hack/> | |
Mar 2021 | Ransomware gang urges victims’ customers to demand a ransom payment <https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/> | |
Mar 2021 | Ransomware group targets universities in Maryland, California in new data leaks <https://www.zdnet.com/article/ransomware-group-targets-universities-of-maryland-california-in-new-data-leaks/> | |
Mar 2021 | Ransomware gang leaks data from Stanford, Maryland universities <https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-stanford-maryland-universities/> | |
Apr 2021 | More Accellion Health Data Breaches Revealed <https://www.healthcareinfosecurity.com/more-accellion-health-data-breaches-revealed-a-16350> | |
Jun 2021 | Clop ransomware is back in business after recent arrests <https://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/> | |
Oct 2021 | Clop ransomware gang is leaking confidential data from the UK police <https://securityaffairs.co/wordpress/125792/cyber-crime/clop-ransomware-uk-police.html> | |
Nov 2021 | Marine services provider Swire Pacific Offshore hit by ransomware <https://www.bleepingcomputer.com/news/security/marine-services-provider-swire-pacific-offshore-hit-by-ransomware/> | |
Apr 2022 | Clop ransomware gang is back, hits 21 victims in a single month <https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/> | |
Aug 2022 | Hackers attack UK water supplier but extort wrong company <https://www.bleepingcomputer.com/news/security/hackers-attack-uk-water-supplier-but-extort-wrong-company/> <https://therecord.media/ransomware-group-may-have-stolen-customer-bank-details-from-british-water-company/> | |
Sep 2022 | FIN11 is Back : Impersonates Popular Video Conference Application <https://www.cyfirma.com/outofband/fin11-is-back-impersonates-popular-video-conference-application/> | |
Dec 2022 | Cl0p Ransomware Targets Linux Systems with Flawed Encryption <https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/> | |
Counter operations | Jun 2021 | Operation “Cyclone” Ukraine arrests Clop ransomware gang members, seizes servers <https://www.bleepingcomputer.com/news/security/ukraine-arrests-clop-ransomware-gang-members-seizes-servers/> <https://www.interpol.int/News-and-Events/News/2021/INTERPOL-led-operation-takes-down-prolific-cybercrime-ring> |
Information | <https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html> |
Last change to this card: 17 February 2023
Digital Service Security Center Follow us on![]() ![]() |
Report incidents |
|
![]() |
+66 (0)2-123-1227 | |
![]() |
[email protected] |