Cybercrime group FIN6 evolves from POS malware to ransomware


The RansomWare and Binary code, RansomWare Concept Security and Malware attack.

Nawadoln, Getty Images/iStockphoto

A cybercrime group known primarily for hacking retailers and stealing payment card details from point-of-sale (POS) systems has changed tactics and is now also deploying ransomware on infected networks.

The group –named FIN6– has a reputation in the cyber-security field for being one of the most advanced cyber-criminal groups around.

Its activities were first documented in the spring of 2016, when FireEye published a first report detailing its extensive hacks and advanced arsenal.

At the time, the group had developed a versatile POS malware strain named Trinity (aka FrameworkPOS). FIN6 would hack into the networks of major retailers, move laterally across their systems, and deploy Trinity on computers that handled POS data to extract payment card details that they would later upload on their own servers.

The group would make money by selling these stolen payment card details on hacking forums, making millions of US dollars along the way.

FIN: Deploying ransomware since July 2018

But according to a new report published on Friday, April 5, by FireEye, the group is now also deploying ransomware on some of the hacked networks –on those that don’t handle POS data.

And the group hasn’t been dropping just any kind of ransomware. According to FireEye, since July 2018, the group has been deploying the Ryuk and LockerGoga ransomware strains.

Both of these strains have been at the center of a wave of high-profile infections that have crippled government agencies and large companies from the private sector alike –with the most recent victim being Norsk Hydro.

According to previous reports from CrowdStrike, FireEye, Kryptos Logic, McAfee, IBM, and Cybereason, the group is believed to be operating out of Russia, from where it rents the infrastructure of other groups (Emotet and TrickBot) to search for large companies that it would later infect with Trinity, Ryuk, or LockerGoga.

Ryuk ransomware infection steps

Ryuk ransomware infection steps

Image: Kryptos Logic

Is FIN6 now a ransomware-first group?

In its most recent report on FIN6, FireEye spotted and highlighted this change in tactics –from Trinity to Ryuk/LockerGoga.

However, the company’s analysts couldn’t say for sure if this is now the group’s main modus operandi, or if this is just a side-activity carried out by some group members “independently of the group’s payment card breaches.”

But regardless if FIN6 is now a ransomware-first group or not, companies and their cybersecurity departments need to pay close attention to this new development, read the recent FireEye report detailing the group’s new operational tacticts, and improve their detection capabilities accordingly, as any sightings of some particular tools may also indicate the presence of this advanced threat actor on a company’s network.

Related malware and cybercrime coverage: