A group of financially motivated cybercriminals known as FIN7 resurfaced last month, with Microsoft threat analysts associating it with attacks whose end goal was to deploy Clop ransomware payloads on the networks of victims.

“The financially motivated cybercrime group Sangria Tempest (ELBRUS, FIN7) has emerged from a long period of inactivity,” the company said. said in a series of tweets from the Microsoft Security Intelligence Twitter account.

“The group was observed deploying the Clop ransomware in opportunistic attacks in April 2023, its first ransomware campaign since late 2021.”

In these recent attacks, FIN7 attackers used the PowerShell-based POWERTRASH in-memory malware dropper to deploy the Lizar post-exploitation tool to compromised devices.

This allowed threat actors to gain a foothold in the targeted network and move laterally to deploy the Clop ransomware using OpenSSH and Impacket. This legitimate Python toolkit can also be used for remote service execution and relay attacks.

According to Microsoft, Clop ransomware is just the new strain that the cybercrime gang has used to target victims.

The group has already been linked REvil and Maze ransomware prior to their involvement in the now defunct BlackMatter and DarkSide ransomware-as-a-service (Raas) operations.

FIN7 arrests, teddy bears and ransomware

Since it began operating a decade ago in 2013, the FIN7 Financially Motivated Hacking Group has been linked to attacks mainly targeting banks and point-of-sale (PoS) terminals of companies in various industrial sectors (mainly restaurants, gambling and hospitality) in Europe and the United States.

The FBI has warned US companies to USB drive-by attacks coordinated by FIN7, targeting the US defense industry with packages containing malicious USB devices designed to deploy ransomware.

FIN7 operators have also impersonated Best Buy in similar attacks with malicious USB drives via USPS to hotels, restaurants and retail businesses, packages also containing teddy bears to trick targets into letting their guard down.

Although some members of FIN7 have been arrested over the years, the hacking group is still active and growing stronger, as evidenced by this new spate of attacks reported by Microsoft.

In April 2022, FIN7 pen tester Denys Iarmak was sentenced to 5 years in prison for network breaches and credit card theft attacks spanning at least two years.

Iarmak was the third FIN7 member convicted in the US after Andrii Kolpakov (another ‘feather tester’) was sent to prison for seven years in June 2021and Fedir Hladyr (a top manager) was sentenced to ten years in prison in April 2021.