FIN7 hacker group linked to the Black Basta ransomware campaigns

Many facts and findings suggest a connection between the FIN7 hacker group and Black Basta ransomware operations

Black Basta ransomware and the FIN7 hacking group linked via their usage of certain tools, techniques, and protocols

Security researchers link the ransomware and hackers after their new analysis using various tools. Black Basta ransomware and FIN7 group has been linked, and it is believed that a few or more members of one group belong to another hacker team too.^[1] The recent threat analysis revealed unique tools, methods, and experimentation with similar malware like Cobalt Strike and frameworks in simulated malware-dropping attacks that might link the two cybercrime operator groups.

FIN7 group, also known as Carbanak, is a team of financially motivated criminals. Researchers^[2] found signs indicating that this group's developer has also authored the Endpoint Detection and response evasion tools used by Black Basta since June 2022.^[3] These tools are used exclusively by this ransomware group.

Other details that link these two groups are the IP addresses, particular tactics, techniques, and procedures used by the FIN7 group in early 2022 that later were employed in the particular ransomware attacks. There also have been no signs that operators look out for affiliates for ransomware deployment. The threat actor group relies on its own custom toolset or works with a close set of affiliates without the need to advertise its operations.

Background and tendencies of the hacker team

FIN7 hacking group is a Russian-speaking group that has been operating since 2015. These criminals operate by deploying POS malware and running highly targeted spear-phishing attacks against various firms.^[4]

Since 2020, the group has used ransomware, and in October 2021, hackers set up their own network intrusion operations. The cybercrime syndicate has a track record of mounting large-scale malware campaigns targeting point-of-sale systems used in restaurants, gambling, and hospitality industries.

The main method of the attack is financial fraud. However, in 2022 many reports showed that FIN7 started to work with different ransomware virus operators like Maze virus, Ryuk ransomware, DarkSide ransomware, and BlackCat virus gang. The group helped with the initial compromise of the targeted systems.

Ransomware spree affecting organizations

Black Basta ransomware started operations and has claimed to attack 90 companies as of September 2022.^[5] The group has proven that operators are well-organized and well-resourced. Beginning in June 2022, the ransomware gang was noticed to use the particularly custom EDR evasion tool used by the gang members exclusively.

The detailed analysis of these operations of the Black Basta ransomware also retrieved samples linked to the usage of these tools and found the SocksBot backdoor that the FIN7 group has used since 2018. This malware piece also connects to the host regularly used and trusted by FIN7.

We assess it is likely the threat actor developing the impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations, thus establishing for the first time a possible connection between the two groups

These technical similarities link the two groups or at least some of the members from both operations. However, there are no individual receipts of whether these developers are running different campaigns or affiliates linked to both hacker teams share the same tools. Nevertheless, these ransomware operators have proven to be sophisticated and equipped, so links to the hacking group FIN7 can only mean improvements in ransomware deployment in future campaigns.