Cybercrime Group FIN6 Evolves from POS Malware to Ransomware

FIN6 Cybercrime Group is a financially motivated threat actor group in operation since at least 2015. Previously, the group is known for expanding threat to eCommerce merchants. At that time, the group has compromised multiple point-of-sale (POS) environments using the TRINITY POS (aka FrameworkPOS) malware. They hacked into the networks of major retailers, moved laterally across their systems, and deployed Trinity on computers that handled POS data to extract payment card details that they would later upload on their own servers. The group would make money by selling these stolen payment card details on hacking forums, making millions of US dollars along the way.

Now the groupĀ has changed tactics and is now deploying the Ryuk and LockerGoga ransomware strains on the networks of hacked companies from where it cannot steal POS data. Both of these strains have been at the center of a wave of high-profile infections that have crippled government agencies and large companies from the private sector alike. According to previous reports from CrowdStrike, FireEye, Kryptos Logic, McAfee, IBM, and Cybereason, the group is believed to be operating out of Russia. SinceĀ FIN6 Cybercrime Group has expanded their criminal enterprise to deploy ransomware in an attempt to further monetize their access to compromised entities, companies and cybersecurity departments need to pay close attention to the new development of FIN6 and take action to prevent it.