Researchers tie FIN7 cybercrime family to Clop ransomware

Long-running cybercrime cartel FIN7, which has made use of ransomware variants developed by groups including REvil and Maze, has added another strain to its arsenal.

Researchers from Microsoft’s security team said they saw the group deploying the Clop ransomware in April — its first ransomware campaign after a long period of inactivity that began in late 2021.

Microsoft said FIN7 – which it calls Sangria Tempest in its new naming convention – was spotted deploying several different tools giving it a foothold in victim systems before moving laterally within a network and deploying the Clop ransomware.

“Clop is the latest ransomware strain that Sangria Tempest has been observed deploying over the years,” Microsoft said on Thursday evening. “The group previously deployed REvil and Maze before managing the now-retired DarkSide and BlackMatter ransomware operations.”

In November, SentinelOne researchers tied the cybercrime organization to the Black Basta ransomware operation — a group behind high-profile attacks on the American Dental Association and German wind farm operator Deutsche Windtechnik.

SentinelOne echoed Microsoft’s assessment that FIN7 has previously been tied to other notable ransomware operations like Darkside, BlackMatter, REvil and ALPHV.

FIN7 – previously known as Carbanak – has been operating dozens of cybercriminal efforts since 2012. The group started out using point-of-sale malware to run financial scams but switched to ransomware around 2020.

FIN7 is accused of attacking more than 100 U.S. companies between 2015 and 2018 and orchestrated intrusions at tens of U.S. retailers, such as Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli, where they deployed malware that collected millions of customer payment card details that they later sold on hacking forums.

A key member of FIN7 was sentenced to 84 months in prison and ordered to pay $2.5 million in restitution in June 2021 and another was given a one-year suspended prison sentence by a Russian court in December 2021. At least five FIN7 members have been identified by law enforcement agencies.

Recorded Future ransomware expert Allan Liska said Microsoft’s assessment appears to indicate that Clop actors are either letting other cybercriminals deploy their ransomware or have created a “partnership” of sorts with FIN7.

“There is no indication I can find previously tying Clop to FIN7, so this does seem like a new relationship – whatever form that has taken,” he said. The Record is an editorially independent unit of Recorded Future.

Liska noted that other cybercriminal organizations have previously used similar tactics as a way to avoid U.S. sanctions, which make it illegal for victims to pay ransoms.

“Evil Corp used to do this (and may still) so that people wouldn’t know they were paying a sanctioned entity,” Liska explained, noting that FIN7 is likely shopping around for ransomware it can deploy to cover its tracks.

“They are hopping from ransomware group to ransomware group looking for the ‘new hotness.’”

Clop drew headlines earlier this year for its exploitation of a vulnerability affecting Fotra’s GoAnywhere file transfer product. The gang stole data from governments, businesses and schools — from the City of Toronto and the Virgin company to the government of Tasmania and Hitachi.