ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > FIN11

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: FIN11

NamesFIN11 (FireEye)
Country[Unknown]
MotivationFinancial crime, Financial gain
First seen2016
Description(FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion.

Notably, FIN11 includes a subset of the activity security researchers call TA505, Graceful Spider, Gold Evergreen, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.
ObservedSectors: Defense, Education, Energy, Financial, Hospitality, Retail, Telecommunications, Technology, Transportation.
Countries: Austria, Canada, Germany, India, Netherlands, Spain, UK, USA.
Tools usedAmadey, AndroMut, AZORult, BARBWIRE, BLUESTEAL, Clop, EMASTEAL, FlawedAmmyy, FLOWERPIPE, FORKBEARD, Get2, JESTBOT, Meterpreter, MINEBRIDGE, MINEDOOR, MIXLABEL, NAILGUN, POPFLASH, SALTLICK, SCRAPMINT, SHORTBENCH, SLOWROLL, SPOONBEARD, TinyMet, VIDAR.
Operations performedDec 2019Ransomware attack on Maastricht University
<https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/>
Mar 2020U.S. pharmaceutical giant ExecuPharm has become the latest victim of data-stealing ransomware.
ExecuPharm said in a letter to the Vermont attorney general’s office that it was hit by a ransomware attack on March 13, and warned that Social Security numbers, financial information, driver licenses, passport numbers and other sensitive data may have been accessed.
But TechCrunch has now learned that the ransomware group behind the attack has published the data stolen from the company’s servers.
<https://techcrunch.com/2020/04/27/execupharm-clop-ransomware/>
Oct 2020Software AG IT giant hit with $23 million ransom by Clop ransomware
<https://www.bleepingcomputer.com/news/security/software-ag-it-giant-hit-with-23-million-ransom-by-clop-ransomware/>
Information<https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html>

Last change to this card: 20 October 2020

Download this actor card in PDF or JSON format

Previous: FIN10
Next: Fishing Elephant

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key