FIN7 returns with new ransomware attacks
A notorious financially motived cybercrime group known for targeting the U.S. retail, restaurant and hospitality sectors emerged from a two-year hiatus to carry out opportunistic ransomware attacks last month, researchers with Microsoft said late Thursday.
The group — tracked widely as FIN7 but by Microsoft as Sangria Tempest (formerly ELBRUS) — had not been linked to a ransomware campaign since late 2021, Microsoft’s Threat Intelligence Center said in a series of Thursday-night tweets. But in recent attacks the group deployed the Cl0p ransomware variant against multiple unnamed targets, following on the group’s track record of using multiple ransomware strains in its attacks.
FIN7 deployed REvil and Maze, DarkSide and BlackMatter ransomware variants against targets in the past, Mandiant reported in April 2022 as part of its transition away from breaking into corporate systems and payment networks and a greater focus on ransomware operations.
FIN7 has a long history in the cybercrime world. According to the FBI, the group’s operations date to at least 2015, and FIN7 has targeted some 100 U.S. companies with attacks designed to steal payment credentials and other data that can be used or sold for profit. The group is believed to have developed the ransomware strain that was used to attack Colonial Pipeline in 2021, an incident that resulted in fuel deliveries being disrupted along the Eastern Seaboard and drew attention to the widespread problem of ransomware attacks.
In April 2022, a federal judge in Seattle sentenced the Ukrainian national Denys Iarmak to five years in prison for his connections to FIN7 activity between November 2016 and November 2018.
The group has been linked to a pair of fake companies used to recruit potential employees. One, called Bastion Secure — which used the logo BS — recruited programmers, system administrators and bug finders, the Wall Street Journal reported in October 2021. FIN7 previously established a different fake company, Combi Security, for similar purposes, the U.S. Department of Justice said in August 2018.