Nawadoln, Getty Images/iStockphoto

A cybercrime group known primarily for hacking retailers and stealing payment card details from point-of-sale (POS) systems has changed tactics and is now also deploying ransomware on infected networks.

The group --named FIN6-- has a reputation in the cyber-security field for being one of the most advanced cyber-criminal groups around.

Its activities were first documented in the spring of 2016, when FireEye published a first report detailing its extensive hacks and advanced arsenal.

At the time, the group had developed a versatile POS malware strain named Trinity (aka FrameworkPOS). FIN6 would hack into the networks of major retailers, move laterally across their systems, and deploy Trinity on computers that handled POS data to extract payment card details that they would later upload on their own servers.

The group would make money by selling these stolen payment card details on hacking forums, making millions of US dollars along the way.

FIN: Deploying ransomware since July 2018

But according to a new report published on Friday, April 5, by FireEye, the group is now also deploying ransomware on some of the hacked networks --on those that don't handle POS data.

And the group hasn't been dropping just any kind of ransomware. According to FireEye, since July 2018, the group has been deploying the Ryuk and LockerGoga ransomware strains.

Both of these strains have been at the center of a wave of high-profile infections that have crippled government agencies and large companies from the private sector alike --with the most recent victim being Norsk Hydro.

Kaspersky analyst says LockerGoga may be linked to Grim Spider (makers of the Ryuk ransomware) https://t.co/YimPkGUYic — Catalin Cimpanu (@campuscodi) March 28, 2019

According to previous reports from CrowdStrike, FireEye, Kryptos Logic, McAfee, IBM, and Cybereason, the group is believed to be operating out of Russia, from where it rents the infrastructure of other groups (Emotet and TrickBot) to search for large companies that it would later infect with Trinity, Ryuk, or LockerGoga.

Image: Kryptos Logic

Is FIN6 now a ransomware-first group?

In its most recent report on FIN6, FireEye spotted and highlighted this change in tactics --from Trinity to Ryuk/LockerGoga.

However, the company's analysts couldn't say for sure if this is now the group's main modus operandi, or if this is just a side-activity carried out by some group members "independently of the group's payment card breaches."

But regardless if FIN6 is now a ransomware-first group or not, companies and their cybersecurity departments need to pay close attention to this new development, read the recent FireEye report detailing the group's new operational tacticts, and improve their detection capabilities accordingly, as any sightings of some particular tools may also indicate the presence of this advanced threat actor on a company's network.

Third, focusing on detecting commonly used tools like Metasploit, Cobalt Strike, and Empire — and tactics like encoded PowerShell scripts or RDP logins with keylength:0 — is a must. You will scoop multiple actors this way. Super important when actors are trying new payloads. — PaulM (@pmelson) April 5, 2019

Related malware and cybercrime coverage: