FIN6 intrusion links to LockerGoga and Ryuk ransomware

FIN6 intrusion links to LockerGoga

Researchers at FireEye have discovered links between the FIN6 cyber criminal group and LockerGoga and Ryuk ransomware used in recent cyber attacks.

FireEye responded to an intrusion of one of their customers in the engineering industry and noted the activity was out of the norm from previous investigations that linked FIN6 to payment card data theft.

The FireEye Managed Defense team concluded the criminal gang likely has expanded its capabilities to deploy ransomware and monetize its victims in different ways.

FIN6 has historically conducted targeted intrusions of payment card data, such as data from point-of-sale (POS) or eCommerce systems.

FireEye said that as incidents involving LockerGoga and Ryuk ransomware are on the rise, attacks and malware (like TRINITY) used by FIN6 are on the decline.

FireEye concluded though there was the possibility that the group could be carrying out ransomware attacks independently of the main group’s payment card breaches. However, they surmised FIN6 could likely be expanding and adapting with an expanded arsenal of intrusion capabilities.

You can check out FireEye’s full report, that includes details on how the attackers pulled off the initial compromise, established a foothold and escalated privileges.