FIN6, a cybercrime group that has focused on attacking point-of-sale devices to steal credit card numbers, now also is waging ransomware attacks that target businesses with either LockerGoga or Ryuk, according to a new analysis from security firm FireEye.
Since 2016, FIN6 has been stealing credit card data to sell on the darknet to other groups looking to commit fraud. By targeting the hospitality and retail industries, the group is believed to have collected about 20 million payment cards worth $400 million, FireEye reports.
Security researchers at several firms, including IBM, have concluded that FIN6 has ties to Russia.
Now, FIN6 – or at least some members associated with cybercriminal gang – have begun to switch tactics, deploying ransomware throughout the networks that they are attacking, FireEye researchers note in a blog.
Newer Ransomware Strains
One strain of ransomware that FIN6 is using, according to FireEye, is Ryuk, which was used against the Chicago-based Tribune Publishing company in late 2018. The other is Lockergoga, the ransomware used against the Norwegian firm Norsk Hydro in March, causing at least $40,000 in financial damage. It’s also suspected in other attacks in Europe and the U.S., according to security researchers.
The reason for using these newer strains of ransomware might be that the FIN6 group is attempting to evade security protections that have been put in place to guard against more well-known, widely deployed malware, FireEye tells Information Security Media Group.
“Given that this ransomware is being manually deployed post-compromise and needs only the barest functionality (encrypt files, drop ransom note, evade anti-malware protections), the benefit of using a malware that is largely unknown and for which anti-malware detections are poor likely outweighs the benefit of [using other] well-known ransomware that may be better detected or integrate unnecessary functionality,” FireEye says in a statement provided to ISMG. “FIN6 may believe that Ryuk and LockerGoga have lower prevalence and therefore might be less likely to be detected.”
The report also notes: “FireEye has observed what appears to be a gradual decline in the volume of FIN6-attributable point-of-sale intrusions preceding this shift, but we can definitely not rule out the possibility that this activity is ongoing in parallel. FIN6 typically monetizes intrusions. Targeting payment card data limits the scope of potential targets and requires additional time and resources.”