FIN8 Observed Deploying BlackCat/ALPHV Ransomware


July 18, 2023

World map

FIN8, a more traditional cybercrime gang that emerged in 2016 who typically engages in theft and fraud activity, has been observed delivering the BlackCat/ALPHV ransomware on networks previously backdoored with a known malware family dubbed Sardonic.

FIN8 is known to target the retail, hospitality, healthcare, and entertainment sectors, and is thought responsible for a number of impactful attack campaigns that compromised hundreds of victim organizations.

“The arsenal employed by this threat actor is extensive, encompassing a wide range of tools and tactics, including POS malware strains like BadHatch, PoSlurp/PunchTrack, and PowerSniff/PunchBuggy/ShellTea, as well as the exploitation of Windows zero-day vulnerabilities and spear-phishing campaigns,” Bleeping Computer reports.

“They've also switched from BadHatch to a C++-based backdoor known as Sardonic, which, according to Bitdefender security researchers who discovered it in 2021, can collect information, execute commands, and deploy additional malicious modules as DLL plugins.”

Takeaway: The assessment that cybercriminal group FIN8 is now dabbling in ransomware is not surprising – they are financially motivated, and ransomware is a big money maker. Their operation does underscore a few things worth noting.

First, ransomware operations and other network intrusion operations with the intent to harvest data to be used for financial theft and fraud are not altogether different animals.  

These operations require initial ingress into the targeted network and bypassing of the security apparatus, establishing persistence and command and control (C2), the use of malware and the abuse of legitimate network tooling, the escalation of privileges and lateral movement, the ability to exfiltrate sensitive data, and so on.

The biggest difference is whether or not the attackers decide to drop a ransomware payload at the tail-end of the attack. And as we have seen with some gangs like KaraKurt and BianLian, some ransomware groups have shifted to purely data extortion attacks, foregoing the delivery of the ransomware payload and focusing solely on data exfiltration for ransom.

FIN8’s reuse of malware that has previously been detected in the wild is not groundbreaking, as threat actors often use polymorphic versions of known malware variants, or simply repack code so that they can easily bypass traditional security tools, so this is nothing new.

But the fact that FIN8 includes POS malware in their repertoire in addition to the highly advanced BlackCat/ALPHV ransomware payload should be of particular concern to retailers, as the targeting of POS systems has the potential to severely impact retail operations. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.