FIN6 is primarily known for hacking retailers and stealing payment card details from (POS) point-of-sale systems has changed their targets and now planning to deploy ransomware on infected networks. FIN6 is widely known in the cyber-security field as being the most advanced groups around so this shift in direction spells trouble.
The first attack was in the spring of 2016 where the group created a versatile POS malware strain named Trinity. This malware allowed FIN6 to hack into networks of major retailers and deploy trinity on computers that handled the extracted credit card payment details and would later upload that info on their own servers. Once the credit card information was secured, they would sell the details on hacking forums for millions of US dollars.
FireEye recently published a report that the group is now deploying ransomware on some of the attacked networks. This isn’t just any kind of ransomware, they are releasing the Ryuk and LockerGoga ransomware strains. Both strains have been able to cripple government agencies and large companies from the private sector alike with the most recent victim being Norsk Hydro.
According to FireEye, they are not sure if FIN6 has completely shifted to a ransomware-first group or if it’s being carried out by some group members on the side. Regardless of where the focus has shifted, companies and their cybersecurity departments need to pay close attention to this new development and improve their detection capabilities accordingly. Start focusing on commonly used tools like Metasploit, Cobalt Strike, and Empire along with tactics like encoded PowerShell scripts or RDP logins with keylenght:0.