A cybercriminal group once notorious for digital payment card theft is believed to have switched its focus to ransomware attacks, in a reminder of just how versatile threat actors have become.
Crooks thought to be affiliated to the FIN7 group – which shot to notoriety last decade when it used malware to steal millions of card details before selling them on the dark web – have evolved to “increase the speed of their operational tempo, the scope of their targeting, and even possibly their relationships with other ransomware operations in the cybercriminal underground,” said analyst Mandiant.
The revamped group was apparently created by a merger of eight smaller groups affiliated to the FIN7 “brand”, in a corporate-style move that Mandiant says confirms the “resilience” of threat actors.
The cybersecurity firm said it identified an “uptick” in what it believes is FIN7 activity using ransomware, beginning last April and spanning five incidents that year. While admitting it could not link the gang to “any direct deployment of ransomware”, Mandiant said its claims were “substantiated by evidence [including] code usage, actor infrastructure, and trusted third-party sources.”
The gang allegedly “modified multiple download links” to steer victims towards trojan malware before deploying a backdoor – a concealed entryway by which cybercriminals can access a target network without proper authentication – called Powerplant.
“Our researchers describe Powerplant as vast because its framework allows for a breadth of capabilities, depending on which modules are delivered from the command and control server,” said Mandiant, adding that it believes FIN7 is the only group using the malware.
Other tools believed to be at the group’s disposal include the ransomware programs Maze, Ryuk, Darkside, and ALPHV.