Back to Blog

FIN6 Shifts From Payment Card Theft to Ransomware

April 11, 2019

By: Scott Ferguson

FIN6, a cybercrime group that has focused on attacking point-of-sale devices to steal credit card numbers, now also is waging ransomware attacks that target businesses with either LockerGoga or Ryuk, according to a new analysis from security firm FireEye.

Since 2016, FIN6 has been stealing credit card data to sell on the darknet to other groups looking to commit fraud. By targeting the hospitality and retail industries, the group is believed to have collected about 20 million payment cards worth $400 million, FireEye reports.

Security researchers at several firms, including IBM, have concluded that FIN6 has ties to Russia.

Now, FIN6 – or at least some members associated with cybercriminal gang – have begun to switch tactics, deploying ransomware throughout the networks that they are attacking, FireEye researchers note in a blog.

Newer Ransomware Strains

One strain of ransomware that FIN6 is using, according to FireEye, is Ryuk, which was used against the Chicago-based Tribune Publishing company in late 2018. The other is Lockergoga, the ransomware used against the Norwegian firm Norsk Hydro in March, causing at least $40,000 in financial damage. It’s also suspected in other attacks in Europe and the U.S., according to security researchers.

The reason for using these newer strains of ransomware might be that the FIN6 group is attempting to evade security protections that have been put in place to guard against more well-known, widely deployed malware, FireEye tells Information Security Media Group.

“Given that this ransomware is being manually deployed post-compromise and needs only the barest functionality (encrypt files, drop ransom note, evade anti-malware protections), the benefit of using a malware that is largely unknown and for which anti-malware detections are poor likely outweighs the benefit of [using other] well-known ransomware that may be better detected or integrate unnecessary functionality,” FireEye says in a statement provided to ISMG. “FIN6 may believe that Ryuk and LockerGoga have lower prevalence and therefore might be less likely to be detected.”

The report also notes: “FireEye has observed what appears to be a gradual decline in the volume of FIN6-attributable point-of-sale intrusions preceding this shift, but we can definitely not rule out the possibility that this activity is ongoing in parallel. FIN6 typically monetizes intrusions. Targeting payment card data limits the scope of potential targets and requires additional time and resources.”

More: https://www.bankinfosecurity.com/report-fin6-shifts-from-payment-card-theft-to-ransomware-a-12358

Contact us

Safety is essential to your decision making. We are sure that our team can clarify any doubts. After all, we understand security.

contact@sikur.com

Follow us

Try SIKUR





Contact Us
First Name*
Last Name*
E-mail*
Mobile Number*
Company*
Country*
Tell us what do you need* ?
Products: Hold CTRL+Click to add more than 1.* ?
Comments
I agree to the Privacy Policy and Terms of Service.