FireEye researchers examining the activity – mainly in North America – have dubbed the actor, or group, FIN10.
FireEye researchers examining the activity – mainly in North America – have dubbed the actor, or group, FIN10.

A cyber extortion group has been burrowing its way into enterprise networks, stealing data and then using their ill-gotten gains to demand ransom from victims, said a new FireEye report [registration required].

FireEye researchers examining the activity – mainly in North America – have dubbed the actor, or group, FIN10.

FIN10, FireEye said, uses publicly available software, scripts and techniques to penetrate into company networks. The group then offers evidence of its theft on public websites and demands a ransom from victims. If payment is not forthcoming, the threat actors claim, the data will be released publicly and, further, they threaten to destroy the data and disrupt business operations.

The actor, or group, has been active since 2013, the researchers said, and continue their activity, primarily attacking casinos and mining operations, mainly in Canada. "In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems," the report stated.

The campaigns have primarily used specially crafted spear-phishing emails with malicious attachments to gain entry into corporate networks, duping unsuspecting workers to click on a link directing them to a server maintained by FIN10. The group likely used LinkedIn and other social media to gather specific details it then used in crafting its messages, the FireEye report said.

Meterpreter, an advanced payload included in the Metasploit Framework, is the primary strategy the group used to gain admission into corporate networks, although FireEye also detected the group using Splinter Remote Access Trojan (SplinterRAT). The group also was found to be using PowerShell Empire, a pen-testing tool, for elevated persistence.

Once inside a network, "FIN10 routinely deploys destructive batch scripts intended to delete critical system files and shutdown network systems," the researchers explained.

FIN10 demands it be paid in Bitcoin – in a range from 100 to 500 Bitcoins, or $124,000 to $620,000.

While the miscreants behind FIN10 have identified themselves as "Angels_Of_Truth," and cited Canadian interference with Russia as their motivation, analysis of the language used in its posts indicate to the FireEye team that the attackers are not Russian speakers, but attempting to misdirect their origin. It's more likely they are Serbian, based on their use of a designation associated with a hacktivist group from that region, dubbed Tesla Team, the researchers surmised.

Owing to the success FIN10 has already achieved, the prognosis by the FireEye team is that the group's activities will only spread. In fact, as the group seems interested not only in money but in extending its influence, the FireEye study posits that the group could parlay its strategies to go after further targets beyond the industry verticals it has so far addressed.

The researchers' conclusion is that corporations around the world "must be prepared to detect and respond to threats from this group and other bad actors."