Cybercrime Group

FIN7

Russia (suspected) • Active since 2013

FIN7 has stolen over a billion dollars by hacking into restaurants and stores to steal credit card data. They ran fake job ads for 'penetration testers' who didn't realize they were working for criminals. Now they've moved into ransomware. Several members have been arrested, but the group continues operating.

Overview

FIN7 is one of the most prolific financially motivated threat groups, responsible for stealing over $1 billion from victims. Originally focused on point-of-sale malware targeting hospitality and retail, FIN7 has evolved to deploy ransomware. They operated as a seemingly legitimate company, "Combi Security," to recruit unwitting employees.

Also Known As

Carbanak, Carbon Spider, ELBRUS, ITG14, Sangria Tempest

Target Industries

Hospitality, Retail, Restaurants, Financial Services, Gaming, Energy

Target Regions

United States, Europe, Australia, Global

Is your business exposed?

Tactics, Techniques & Procedures

  • Spear-phishing with malicious attachments
  • USB-based attacks via mailed packages
  • Phone-based social engineering
  • Point-of-sale malware deployment
  • Ransomware deployment

Known Tools & Malware

Carbanak, Lizar/Tirion, JSSLoader, POWERTRASH, BIRDWATCH, BlackCat/ALPHV ransomware (partnership)

Notable Campaigns

Retail POS Attacks (2015-2018)

Compromised over 6,500 individual POS terminals at thousands of business locations.

BadUSB Campaign (2021)

Mailed malicious USB drives disguised as gift cards to targets.

Ransomware Evolution (2021-2024)

Shifted focus to ransomware deployment, partnering with REvil, DarkSide, and BlackCat.

MITRE ATT&CK Techniques

T1566.001, T1091, T1059.003, T1027, T1486

Defense Recommendations

  1. 1.

    Disable USB autorun and restrict USB device usage

  2. 2.

    Train staff never to insert unknown USB devices

  3. 3.

    Segment POS networks from business networks

  4. 4.

    Implement P2PE (Point-to-Point Encryption) for card data

  5. 5.

    Deploy EDR capable of detecting fileless malware

Related Threat Actors

Ta505, Evil Corp, Blackcat

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices