FIN7 From POS Malware to Ransomware

FIN7 From POS Malware to Ransomware | CDA.Wiki | CDA.Wiki

# FIN7: From POS Malware to Ransomware

FIN7, also tracked under the alias Carbanak Group, represents one of the most financially destructive and organizationally sophisticated threat actors documented in modern cybersecurity history. Operating since at least 2013, the group has stolen an estimated one billion dollars or more from financial institutions, retailers, restaurants, and hospitality companies across dozens of countries. FIN7 did not begin as a ransomware operation. It built its early reputation targeting point-of-sale (POS) systems to harvest payment card data at scale. Over time, the group shifted its monetization strategy toward enterprise ransomware, affiliate partnerships, and multi-stage extortion campaigns. Understanding FIN7 means understanding how a criminal organization evolves, adapts its business model, and insulates itself from law enforcement disruption through corporate-like structure and operational deception.

---

Definition and Scope

FIN7 is a financially motivated advanced persistent threat (APT) group with roots in Eastern Europe, primarily attributed to Russian-speaking operators. The group is not a loose collective of independent hackers. It functions as a structured criminal enterprise with management, technical development, operations, and recruitment divisions operating in parallel. This organizational model distinguishes FIN7 from opportunistic ransomware gangs and from state-sponsored APT groups motivated by espionage rather than profit.

FIN7 is commonly conflated with the Carbanak malware or the broader Carbanak campaign. These terms are related but not interchangeable. Carbanak refers to the specific backdoor malware used in early banking-focused campaigns. FIN7 adopted Carbanak tooling but expanded its targeting, techniques, and toolset considerably. The group later incorporated the Lizar (also known as Tirion) framework, PowerPlant malware, and Domino implants, demonstrating active internal development rather than reliance on off-the-shelf tools.

FIN7 is also distinct from FIN6, a separate financially motivated group that sometimes targeted similar POS environments. They share operational overlap but are treated as separate entities by most threat intelligence vendors.

The group operates across two broad eras: the POS era (approximately 2013 through 2019), during which card data theft was the primary revenue mechanism; and the ransomware era (2019 through present), during which the group shifted toward deploying ransomware families including Darkside, BlackMatter, and Cl0p, often working through affiliate or partner arrangements with ransomware-as-a-service (RaaS) ecosystems. FIN7 is not exclusively a RaaS affiliate. The group maintains independent capabilities while selectively partnering with ransomware operators when advantageous.

---

How It Works

FIN7's attack methodology is notable for its patience, precision, and operational discipline. The group does not rely on mass exploitation or spray-and-pray phishing. Every stage of its operations reflects deliberate targeting and resource investment.

Initial Access: Spearphishing and Social Engineering

FIN7 campaigns begin with spearphishing emails crafted to target specific roles within a victim organization. The group researches targets before contact, identifying employees in accounts payable, restaurant management, hotel operations, or IT purchasing who regularly open document attachments. Emails are written to match the business context of the target, often posing as customer complaints, vendor invoices, reservation confirmations, or regulatory correspondence. Attachments typically include malicious Microsoft Word or Excel documents that execute macros, or links to attacker-controlled pages serving payloads.

In documented campaigns, FIN7 representatives called victim organizations by telephone after sending phishing emails to increase urgency and legitimacy. Operators posed as customers, delivery companies, or software support staff, pressuring recipients to open attachments while on the call. This multi-channel social engineering significantly increases open rates compared to email-only campaigns.

BadUSB Mailing Campaigns

Starting around 2021, FIN7 expanded its initial access methods to include mailing physical USB drives to target organizations. These packages were sent via United States Postal Service or UPS, sometimes accompanied by fake gift cards or branded packaging impersonating Amazon or the Department of Health and Human Services. When employees plugged in the drives, they executed scripts that installed backdoors, including the GRIFFON JavaScript downloader, Carbanak variants, and later PowerPlant. This method bypasses email security controls entirely and exploits human curiosity about unexpected packages.

Post-Compromise Activity

Once initial access is established, FIN7 operators move deliberately. They conduct internal reconnaissance using native Windows tools such as net.exe, nltest, and PowerShell to map Active Directory structure, identify domain controllers, and locate financial systems or POS terminals. The group prioritizes staying beneath detection thresholds, often remaining dormant or low-activity for days or weeks while establishing persistence through scheduled tasks, registry run keys, or WMI subscriptions.

In the POS era, operators installed custom memory scrapers on POS terminals to harvest Track 1 and Track 2 payment card data from RAM, capturing card numbers before encryption occurred in transit. Stolen card data was aggregated on internal staging systems and exfiltrated in compressed, encrypted archives through HTTPS connections to attacker infrastructure.

In the ransomware era, post-compromise activity shifted toward domain privilege escalation, bulk data exfiltration for double-extortion purposes, and the eventual deployment of ransomware payloads. FIN7 often uses legitimate remote administration tools including AnyDesk and TeamViewer to maintain access alongside custom implants, complicating detection because these tools blend into normal IT operations.

Fake Front Companies as Recruitment Infrastructure

FIN7 created at least two documented fake security companies: Combi Security and Bastion Secure. These entities maintained professional websites, offered legitimate-looking employment contracts, and recruited actual security professionals to conduct what they described as penetration testing engagements. Hired staff performed real technical work against real victim networks, believing they were conducting authorized assessments. This approach gave FIN7 access to skilled operators while insulating core group members from direct exposure, and it diffused criminal liability across unwitting contractors. When Bastion Secure was exposed in 2021 by Recorded Future, the company's job listings and technical test assignments were analyzed and found to directly correspond to FIN7 intrusion tooling and target profiles.

Ransomware Deployment and Affiliate Activity

FIN7's connection to Darkside ransomware was confirmed through code similarities and infrastructure overlap. When Darkside rebranded as BlackMatter following the Colonial Pipeline attack in 2021, FIN7 operators continued working within that ecosystem. More recently, the group has been linked to Cl0p ransomware operations, suggesting ongoing flexibility in ransomware partnerships. FIN7 maintains independent capabilities while using RaaS relationships to expand scale and share operational risk.

---

Why It Matters

FIN7's impact is not theoretical. The group's campaigns have caused direct, measurable financial damage across thousands of organizations. The FBI estimated in 2018 that FIN7 had compromised more than 100 American companies and stolen more than 15 million customer payment card records. Restaurants including Chipotle Mexican Grill experienced card data breaches in 2017 attributed to FIN7, with fraudulent card activity detected across multiple states within days of compromise. Hotels operated by Omni Hotels and the Trump Hotel Collection were also affected. In each case, the breach path followed the same pattern: spearphishing entry, POS scraper deployment, bulk card data exfiltration.

The shift to ransomware dramatically increased per-victim revenue. A single ransomware deployment against a mid-market enterprise can generate hundreds of thousands to millions of dollars, compared to the pennies-per-record economics of card data resale. This monetization shift also means FIN7 now threatens organizations that do not process payment cards, including healthcare systems, manufacturing companies, and critical infrastructure operators.

A persistent misconception is that arresting FIN7 leadership degrades the group's capability. In 2018, three high-ranking FIN7 members were arrested including Fedir Hladyr, who served as a systems administrator and was sentenced to ten years in federal prison. Operations did not stop. The corporate structure meant that other operators absorbed functions, new front companies were created, and recruitment continued. This is a fundamental difference between FIN7 and less organized threat actors: leadership arrests create disruption, not dissolution.

Another misconception is that FIN7 only targets large organizations. The group has repeatedly attacked mid-market hospitality and retail businesses with fewer than 500 employees, selecting targets based on payment volume and perceived security maturity rather than company size. Any organization processing significant card transactions or holding valuable enterprise data is within scope.

---

CDA Perspective

CDA approaches FIN7 through the Planetary Defense Model (PDM), applying threat intelligence domain (TID) analysis and defensive posture strategy (DPS) to position client organizations ahead of FIN7's operational patterns rather than reacting to incidents after they occur. The guiding methodology is Predictive Defense Intelligence (PDI): see the threat before it sees you.

FIN7's corporate structure and multi-year operational continuity mean the group produces observable patterns. Campaign timing, phishing infrastructure registration behaviors, tooling signatures, and recruitment activity all generate intelligence signals that can be tracked. CDA analysts monitor dark web job listings for patterns consistent with FIN7 recruitment tradecraft, including technical assessments referencing specific implant behaviors. When Bastion Secure's listings were analyzed in 2021, practitioners who had tracked FIN7 tooling recognized the test tasks as direct operational preparation rather than legitimate assessments. Proactive intelligence collection of this type provides warning ahead of active campaigns.

On the TID side, CDA builds FIN7-specific threat profiles that map the group's documented TTPs to MITRE ATT&CK framework techniques, allowing defenders to identify which detection gaps are most consequential. FIN7's consistent use of spearphishing (T1566), macro-enabled documents (T1204.002), living-off-the-land binaries (T1218), and scheduled tasks for persistence (T1053.005) means that detection investments in these specific technique categories produce disproportionate value against this specific threat.

On the DPS side, CDA works with clients in retail, hospitality, and financial services to implement POS network segmentation that physically and logically separates payment processing environments from general enterprise networks, removing the lateral movement path FIN7 relies on. USB device control policies are implemented and tested with phishing simulation programs that include physical media components.

CDA does not treat FIN7 as a static threat. The group's transition from Darkside to BlackMatter to Cl0p affiliation is tracked as an organizational behavior indicator. When FIN7 changes ransomware partners, it often signals a change in targeting criteria or victim profile. CDA alerts client organizations operating in newly targeted sectors before campaigns are publicly documented, not after.

---

Key Takeaways

Implement USB device control policies immediately: FIN7's BadUSB mailing campaigns bypass email security entirely. Block unauthorized USB execution through Group Policy and endpoint controls, and train employees to report unexpected physical packages containing drives.

Segment POS environments from enterprise networks: FIN7 relies on lateral movement from an initial phishing victim to POS terminals. Network segmentation with strict access controls and monitoring on cross-segment traffic removes the most common exploitation path.

Map detection investments to FIN7's confirmed ATT&CK techniques: Prioritize detection of macro execution in Office documents, PowerShell usage in non-IT user contexts, scheduled task creation, and anomalous use of remote administration tools such as AnyDesk or TeamViewer.

Treat leadership arrests as temporary disruptions, not defeats: FIN7 survived the arrest of senior operators in 2018 and continued active campaigns. Maintain intelligence tracking on the group as an ongoing threat regardless of law enforcement actions, and assume operational continuity until confirmed otherwise.

Vet third-party security contractors against FIN7 recruitment indicators: Before engaging penetration testing or security assessment firms, verify company registration history, assess whether the firm has publicly verifiable customer references, and review technical assessment criteria for alignment with known FIN7 tooling behaviors.

---

Sources

MITRE ATT&CK. "FIN7." MITRE ATT&CK Groups, G0046. https://attack.mitre.org/groups/G0046/

U.S. Department of Justice. "Three Members of Notorious International Cybercrime Group 'Fin7' in Custody for Role in Attacking Over 100 U.S. Companies." August 1, 2018. https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100

Recorded Future. "The Fake Cisco, the Real FIN7: Inside a Fake Company Used to Hire Pen Testers for Cybercrime." October 2021. https://www.recordedfuture.com/fin7-infrastructure

CIS Controls v8. "Control 6: Access Control Management; Control 9: Email and Web Browser Protections; Control 13: Network Monitoring and Defense." Center for Internet Security, 2021. https://www.cisecurity.org/controls/v8

NIST Special Publication 800-61 Revision 2. "Computer Security Incident Handling Guide." National Institute of Standards and Technology. https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

Table of Contents

Definition and Scope

How It Works

Why It Matters

CDA Perspective

Key Takeaways

Sources

Related CDA Missions

Related Articles

Lazarus Group (HIDDEN COBRA / Diamond Sleet)

Salt Typhoon

Digital Forensics Evidence Handling

Discussion

The Academy

The Command Post

The Armory