FIN7 Hack Group Resumed Activity, Linked to Clop Ransomware

FIN7 resumed activity

Microsoft analysts report that last month the notorious hacker group FIN7 (also known as Carbanak, Navigator and others) resumed its activity. The researchers were able to link FIN7 to attacks whose ultimate goal was to deploy the Clop ransomware on victims’ networks.

FIN7 Cybercrime Group Goes On

The financially motivated cybercriminal group Sangria Tempest (ELBRUS, FIN7) has emerged from a long period of inactivity. In April 2023, the group was seen using Clop ransomware in opportunistic attacks, its first ransomware campaign since late 2021.says Microsoft Security Intelligence on Twitter.

Let me remind you that we also wrote that Clop ransomware continues to work even after a series of arrests, and also that Clop Operators Claim to Hack 130 Organizations Using GoAnywhere MFT Bug.

Information security specialists reported that Clop ransomware operators leaked data from two universities. The new attacks reportedly used the PowerShell-based POWERTRASH in-memory dropper to deploy the Lizar post-exploitation tool on compromised devices. Thus, the attackers gain a foothold in the target network and start lateral movement, so that later, with the help of OpenSSH and Impacket, they can deploy companies that become victims of the Clop encryptor on the network.

Cl0p ransomware and FIN7 relationship

According to Microsoft, Clop is just another new malware used by FIN7. So, the group was previously associated with REvil and Maze, and then with the now defunct BlackMatter and DarkSide RaaS. In addition, the media cites a private Microsoft analytical report and reports that FIN7 is associated with attacks on PaperCut print control servers that eventually become part of the attacks of malware such as Clop, Bl00dy and LockBit.

In a closed report, Microsoft analysts write that the financially motivated group FIN11, which the company tracks under the code name Lace Tempest, used new tools, including the PowerShell script inv.ps1, which the researchers associate with FIN7. This script was used to deploy the Lizar toolkit mentioned above, which likely indicates that the operators of the two factions have joined forces or started exchanging attack tools.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *