HC3 TLP Clear FIN11 Threat Profile June 13, 2023

Executive Summary

FIN11 is a cybercriminal group that has been active since at least 2016, originating from the Commonwealth of Independent States (CIS). While the group has historically been associated with widespread phishing campaigns, the group has shifted towards other initial access vectors. FIN11 often runs high-volume operations mainly targeting companies in various industries in North America and Europe for data theft and ransomware deployment, primarily leveraging CL0P (aka CLOP). The group has targeted pharmaceutical companies and other health care targets during the COVID-19 pandemic and continues to target the health sector. The group is behind multiple high-profile, widespread intrusion campaigns leveraging zero-day vulnerabilities. It is likely that FIN11 has access to the networks of far more organizations than they are able to successfully monetize, and choose if exploitation is worth the effort based on the location of the victim, their geographical location, and their security posture. This Threat Actor Profile provides information associated with FIN11, including recent campaigns, associated malware, CVEs exploited, and TTPs.

Impact to HPH Sector

Given FIN11’s history of conducting widespread campaigns exploiting zero-day vulnerabilities in commonly used software in the Healthcare and Public Health (HPH) sector to steal data and deploy ransomware, HC3 recommends that healthcare organizations consider FIN11 a top priority for their security teams. While HC3 cannot confirm exactly how many and which CL0P ransomware attacks may be attributed to FIN11, HC3 has observed around 30 incidents involving CL0P ransomware in the U.S. HPH sector since 2021. These affected organizations either provided direct patient care or were considered health plans and/or payers. CL0P ransom demands typically range from a few hundred thousand dollars up to USD $10 million. Recently, researchers observed wide exploitation of a zero-day vulnerability in the MOVEit Transfer secure managed file transfer software attributed to FIN11. The list of organizations that have disclosed data breaches following these attacks include a national public healthcare system.

View the detailed report below.