Skip to content

Hide Navigation Hide TOC

FIN11 (c01aadc6-1087-4e8e-8d5c-a27eba409fe3)

FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion. The group has been active since 2017 and has been tracked under UNC902 and later on as TEMP.Warlok. In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity.(FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion. Notably, FIN11 includes a subset of the activity security researchers call TA505, Graceful Spider, Gold Evergreen, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.

Cluster A Galaxy A Cluster B Galaxy B Level
Lace Tempest (b27dcdee-14b1-5842-86b3-32eacec94584) Microsoft Activity Group actor FIN11 (c01aadc6-1087-4e8e-8d5c-a27eba409fe3) Threat Actor 1
TA505 (03c80674-35f8-4fe0-be2b-226ed0fcd69f) Threat Actor Lace Tempest (b27dcdee-14b1-5842-86b3-32eacec94584) Microsoft Activity Group actor 2
TA505 (03c80674-35f8-4fe0-be2b-226ed0fcd69f) Threat Actor Spandex Tempest (c85120d0-c397-5d30-9d57-3b019090acd5) Microsoft Activity Group actor 3