The infamous cybercrime group often known as FIN7 has been noticed deploying Cl0p (aka Clop) ransomware, marking the menace actor’s first ransomware marketing campaign since late 2021.
Microsoft, which detected the exercise in April 2023, is monitoring the financially motivated actor beneath its new taxonomy Sangria Tempest.
“In these current assaults, Sangria Tempest makes use of the PowerShell script POWERTRASH to load the Lizar post-exploitation software and get a foothold right into a goal community,” the corporate’s menace intelligence crew mentioned. “They then use OpenSSH and Impacket to maneuver laterally and deploy Clop ransomware.”
FIN7 (aka Carbanak, ELBRUS, and ITG14) has been linked to different ransomware households comparable to Black Basta, DarkSide, REvil, and LockBit, with the menace actor appearing as a precursor for Maze and Ryuk ransomware assaults.
Active since a minimum of 2012, the group has a observe document of focusing on a broad spectrum of organizations spanning software program, consulting, monetary companies, medical gear, cloud companies, media, meals and beverage, transportation, and utilities.
Another notable tactic in its playbook is its sample of organising pretend safety firms – Combi Security and Bastion Secure – to recruit workers for conducting ransomware assaults and different operations.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect superior threats, cease lateral motion, and improve your Zero Trust technique. Join our insightful webinar!
Last month, IBM Security X-Force revealed that members of the now-defunct Conti ransomware gang are utilizing a brand new malware referred to as Domino that is developed by the cybercrime cartel.
FIN7’s use of POWERTRASH to ship Lizar (aka DICELOADER or Tirion) was additionally highlighted by WithSecure a number of weeks in the past in reference to assaults exploiting a high-severity flaw in Veeam Backup & Replication software program (CVE-2023-27532) to achieve preliminary entry.
The newest improvement signifies FIN7’s continued reliance on numerous ransomware households to focus on victims as a part of a shift in its monetization technique by pivoting away from cost card information theft to extortion.