- FIN11 is considered a high-priority threat for healthcare organizations due to their history of targeting the sector and their use of ransomware
- FIN11 is a highly active and sophisticated cybercriminal group that primarily targets companies in North America and Europe.
- They are known for conducting high-volume operations and have a history of targeting the healthcare sector, including pharmaceutical companies.
- While FIN11 has shifted away from phishing campaigns, they continue to exploit zero-day vulnerabilities and deploy ransomware.
Known aliases:
- Odinaff (Symantec)
- Sectoj04 (NSHC Group)
- TA505 (Proofpoint)
- TEMP.Warlock
- Lace Tempest (Microsoft)
- DEV-0950 (Microsoft, defunct)
- Hive0065 (IBM X-Force)
- Group G0092 (Mitre)
- Spandex Tempest (formerly CHIMBORAZO) (Microsoft)
Country of origin:
- Commonwealth of Independent States (CIS)
Most recent attacks:
- Zero-Day Exploitation (since May 2023): FIN11 exploited a zero-day vulnerability in MOVEit Transfer, a secure managed file transfer software, leading to data breaches at numerous organizations, including a national public healthcare system.
- PaperCut MF and NG Exploitation (since at least April 13, 2023): FIN11 exploited vulnerabilities in PaperCut MF and NG, a print management software, to gain access to networks and deploy ransomware.
Known high profile notable attacks:
- Accellion File Transfer Appliance (FTA) Zero-Day Exploitation (December 2020): FIN11 exploited a zero-day vulnerability in Accellion FTA, a file transfer appliance, leading to data breaches at several organizations.
- Windows ZeroLogon Vulnerability Exploitation (October 2020): FIN11 exploited the ZeroLogon vulnerability in Windows to gain access to networks and deploy ransomware.
Common methods of infiltration:
- Phishing campaigns: FIN11 historically relied heavily on phishing campaigns to gain initial access to networks.
- Exploitation of zero-day vulnerabilities: FIN11 actively exploits zero-day vulnerabilities in popular software to gain unauthorized access.
- Malware/ransomware strains used:
- CL0P ransomware: FIN11 is known to deploy CL0P ransomware, which typically demands ransoms ranging from a few hundred thousand dollars to USD $10 million.
- LEMURLOOT: Associated with FIN11 and is used for data theft.
- MINEDOOR/FRIENDSPEAK (aka Get2): Used to gain initial access and deploy other malware.
- MIXLABEL (aka SDBbot): Used for network reconnaissance and lateral movement.
- FlawedAmmyy: Historically used by FIN11 for remote access but has not been observed since 2019.
- FlawedGrace (AKA GraceWire, BARBWIRE): Used for remote access and control.
- ServHelper: Used for command and control.
- P2P RAT: Used for peer-to-peer communication and data exfiltration.
- Raspberry Robin (low confidence): Potentially used by FIN11 for initial access.
- Cobalt Strike: Used for post-exploitation activities, such as lateral movement and data exfiltration.
- Truebot (AKA TRUECORE): Used for banking trojan activities.
- AdFind, Amadey, Azorult (low confidence), BloodHound, Mimikatz, PowerSploit, DEWMODE: These tools are used for credential theft and privilege escalation.
