The financially motivated FIN11, which increasingly incorporated CL0P ransomware into their operations in 2020, appeared to rely on low-effort volume techniques like spamming malware for initial entry, but put a substantial amount of effort into each follow-up compromise.
“Several of their recent ransom notes explicitly name data stolen from workstations that belong to top executives (including founders/CEOs) of the respective enterprises,” Senior Cybersecurity Analyst Thomas Barabosch wrote in a blog post detailing new research from Deutsche Telekom. “This is likely based on the hope that using data stolen from top executives in the extortion process raises their chances that the victim pays.”
The research sheds new light on how cybercriminals from the threat group, described as a relentless, big game ransomware hunter that rarely goes more than a day or two between attacks, used the popular clop ransomware in their exploitations.
Throughout 2020, FIN11 actors followed an observable pattern through three separate campaigns: first spamming potential victims with phishing emails during the work week and then sifting through those who clicked on the malicious link to identify the most lucrative corporate targets for follow up action. FireEye picked up on one of those campaigns in October, and the company's research suggests “that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture.”
In the FIN11 clop attacks, a target is hit with a unique variation of the ransomware. Researchers found more than a dozen different clop samples used by the group. In some cases there are multiple samples for a single victim. They also craft a personalized ransom note that includes the victim’s name, specifics around exfiltrated data, file share paths, user names and other details. They also use ransomware with unique, 1024-bit RSA public keys for each victim, with Barabosch noting in a blog that “as of January 2021, the largest publicly known RSA key that was factored…had 829 bits.”
There’s also an air of professionalism in FIN11’s criminal operations: Telekom said they often offer further support to help organizations unlock their systems and provide after action reports on the network breach, even after they’ve been paid the ransom.
Telekom’s research contains indicators of compromise for FIN11’s most recent spam-phishing activities through December 2020.