Traditionally associated with payment card theft, the cybercriminal group FIN6 has expanded its operations to apparently include ransomware attacks using the malicious encryption programs Ryuk and LockerGoga, according to researchers.

Investigations by the FireEye Intelligence research team and the company’s Mandiant division have revealed that FIN6’s ransomware activity dates back to July 2018, and has reportedly caused tens of millions of dollars in damage. Such behavior is a far cry from the group’s more traditional m.o., which involves using malware to steal card data from retail and hospital companies, and then selling that information on underground marketplaces.

“As the frequency of these intrusions deploying ransomware have increased, the cadence of activity traditionally attributed to FIN6 – intrusions targeting point-of-sale (POS) environments, deploying TRINITY malware and sharing other key characteristics – has declined,” explains FireEye in an April 5 blog post. “Given that, FIN6 may have evolved as a whole to focus on these extortive intrusions. However, based on tactical differences between these ransomware incidents and historical FIN6 activity, it is also possible that some FIN6 operators have been carrying out ransomware deployment intrusions independently of the group’s payment card breaches.”

FireEye researchers say FIN6’s shifting business model is exemplified by a recently detected attack against one of FireEye’s clients in the engineering industry – an incident that seemed “out of character” because that company does not process payment card data. Further analysis and incident response support determined that FIN6 had been caught in the early stages of a intrusion that was accomplished by compromising an unspecified internet-facing system. Moreover, the tools, tactics and procedures used in this attack were similar to those leveraged in separate attacks that deployed Ryuk and LockerGoga ransomware.

In this specific case, the threat actor used stolen credentials and the Remote Desktop Protocol to move laterally within the corporate environment, and established a foothold using a combination of malicious Windows services, PowerShell commands, and the pen testing tools Cobalt Strike and Metasploit. The Metasploit framework was also used to achieve privilege escalation through a “named pipe impersonation” technique.

FIN6 conducted internal reconnaissance via a Windows batch file that leveraged Adfind to query Active Directory data, as well as 7-zip to compress the query results so they could be exfiltrated. FIN6 used this technique to “identify user accounts that could access additional hosts in the domain,” the blog post explains.

Ultimately, the goal was to use lateral movement to infect corporate servers and configure them as malware distribution servers capable of staging the ransomware and other tools to assist in the ransomware’s deployment. Fortunately, FireEye says the compromised systems were contained within two hours of the initial detection, thus preventing the attackers from completing their objective.