Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report. 

The cybercriminal group FIN7 gained notoriety in the mid-2010s for large-scale malware campaigns targeting the point-of-sale (POS) systems. In 2018, Gemini Advisory reported FIN7’s compromise of Saks Fifth Avenue and Lord & Taylor stores and the subsequent sale of over 5 million payment cards on the dark web. According to the US Department of Justice, the broader FIN7 carding campaigns have resulted in the theft of over 20 million payment card records and cost victims over $1 billion, making FIN7 one of the most infamous and prolific cybercriminal groups of the last decade. Now with ransomware proving to be cybercriminals’ preferred high-profit, jackpot venture, FIN7 has redeployed their expertise and capacity towards ransomware, with reports indicating that the group was involved in attempted ransomware attacks on US companies as early as 2020. Furthermore, despite focus from law enforcement and the arrest of a FIN7 system administrator in 2021, FIN7’s continued activity shows that the group remains a powerful, active threat.

In 2018, the US Department of Justice revealed that FIN7 was posing as “Combi Security”, a fake cybersecurity company, to involve unaware IT specialists in their carding campaigns. While the public focus on Combi Security shut down that operation, Gemini has now discovered that FIN7 is using a new fake cybersecurity company named “Bastion Secure” to lure unaware IT specialists into supporting its continued expansion into ransomware.

Over the course of FIN7’s existence, cybersecurity firms have referred to FIN7 by several names—including Carbanak, Carbon Spider, Anunak, Cobalt Gang, and Navigator Group—with some practitioners choosing to subdivide the FIN7 designation according to the target type. While overlapping but different groups of individuals have likely conducted malicious activity attributed to these threat groups, the unifying thread connecting the attack signatures to FIN7 has been the use of the malware Carbanak.

Editor’s Note: This post was an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.

Tags: