Traditionally associated with payment card theft, the cybercriminal group FIN6 has expanded its operations to apparently include ransomware attacks using the malicious encryption programs Ryuk and LockerGoga, according to researchers.

Investigations by the FireEye Intelligence research team and the company's Mandiant division have revealed that FIN6's ransomware activity dates back to July 2018, and has reportedly caused tens of millions of dollars in damage. Such behavior is a far cry from the group's more traditional m.o., which involves using malware to steal card data from retail and hospital companies, and then selling that information on underground marketplaces.

"As the frequency of these intrusions deploying ransomware have increased, the cadence of activity traditionally attributed to FIN6 – intrusions targeting point-of-sale (POS) environments, deploying TRINITY malware and sharing other key characteristics – has declined," explains FireEye in an April 5 blog post. "Given that, FIN6 may have evolved as a whole to focus on these extortive intrusions. However, based on tactical differences between these ransomware incidents and historical FIN6 activity, it is also possible that some FIN6 operators have been carrying out ransomware deployment intrusions independently of the group's payment card breaches."

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.