The recently discovered hacker group FIN11 specializes in ransomware and extortion. In recent months, it has increasingly targeted German and German-speaking companies. The hackers presumably operate from within the Commonwealth of Independent States (CIS).
“In recent years, there has been a dramatic increase in aggressive ransomware attacks on businesses; Mandiant responded to nearly 2019 percent more ransomware attacks in 300 than the year before." So says Genevieve Stark, analyst at Mandiant Threat Intelligence. Hacker group FIN11 exemplifies this trend, with cybercriminals using ransomware to monetize their activities rather than, say, point-of-sale malware to steal credit card details during financial transactions. FIN11 operates a hybrid extortion model: they steal victims' data, distribute CLOP ransomware, and then threaten to publish the stolen data online in order to force their victims to pay ransoms. These claims range from a few hundred thousand US dollars to as much as 10 million US dollars.
Hacker group targeted pharmaceutical companies
The group stands out for its particularly unabashed approach: at the beginning of 2020, it increasingly targeted pharmaceutical companies when they were particularly vulnerable to the corona pandemic.
The alleged victims listed on the CL0P ^ _- LEAKS website in the Darknet are mostly based in Europe: Around half of the companies affected are based in Germany. These operate in a variety of industries, including automotive, manufacturing, technology, textiles - utility companies were also among the alleged German victims. While the website CL0P ^ _- LEAKS gives an incomplete picture of the target people of FIN11 - it lists companies that were attacked and refused to pay the ransom - the German-language e-mails that FIN11 used in many phishing campaigns in 2020 also indicate indicated that they have actively targeted companies that are active in German-speaking countries.
Targeted corporate attacks
While these campaigns were primarily aimed at German companies, they often also targeted companies in other countries - in Austria, for example. In addition, we have observed cases in which both a German company and its subsidiaries in other countries were consistently attacked.
Examples of German-language subject lines that FIN11 used for phishing emails from June to September
- Daily protocol 20.01.2020/XNUMX/XNUMX
- notification of illness
- Services
- Accident report
- new document
- Purchase order 14-3863-524-006June 3: 1 & 1 billing center
- Order 19 / 2002-021
Find out more at FireEye.com
About Trellix Trellix is a global company redefining the future of cybersecurity. The company's open and native Extended Detection and Response (XDR) platform helps organizations facing today's most advanced threats gain confidence that their operations are protected and resilient. Trellix security experts, along with an extensive partner ecosystem, accelerate technology innovation through machine learning and automation to support over 40.000 business and government customers.