Meet FIN11, a cybercrime outfit going after pharma companies while leaning on extortion

The group joins the list of notorious financially-minded hackers.
(Getty Images)

Researchers have pieced together details about a newly-identified, financially-motivated hacking group they say is behind bold, large and long-running malware campaigns.

And it’s only getting worse: The hackers have expanded their range of targets the past two years while using increasingly aggressive ransomware attacks, according to research published Wednesday by FireEye’s threat intelligence unit, Mandiant.

The company dubbed the group FIN11, a designation it gives financial crime groups. That makes it the first group to get the FIN label since FIN10 three years ago.

The hackers are notable for “removing the last vestiges of restraint” in their ransomware and extortion targeting, said John Hultquist, senior director of analysis for Mandiant Threat Intelligence, a unit of FireEye. They’ve gone after pharmaceutical companies and other health care targets during the COVID-19 pandemic.


More broadly, the health care industry has encountered a barrage of attacks from hackers during the pandemic, including ransomware attacks that authorities say have hit hospitals and health care conglomerates and attempts to hack companies working on a COVID-19 vaccine. And among FIN groups identified to date, FIN7 — blamed for allegedly stealing $1 billion from U.S. victims — might be the most notorious.

FIN11 didn’t begin as a ransomware operation, researchers said. But as the practice has become more lucrative, FIN11 has adopted the digital extortion technique, demanding ransoms of up to $10 million after locking victims’ systems and threatening to release data unless they pay.

“They’re clearly undeterred and willing to not only take all this money and disrupt their operations, but publicly embarrass and extort them,” Hultquist said.

From 2017 to 2018, FIN11 mostly targeted the financial, retail and restaurant sectors. In 2019 and 2020, it got less choosy and more prolific, mostly using generic email lures such as “bank statement” or “invoice” to trick targets, but sometimes tailoring its lures by region and language. Mandiant has observed successful attacks in North America, Europe and elsewhere.

Mandiant has “moderate” confidence that the group is based in the largely Russian-speaking Commonwealth of Independent States, but couldn’t narrow it to a specific nation, Hultquist said.


While FIN11 has been active since 2016, its tactics and techniques overlap with the group known as TA505 that’s been around since at least 2014. Nonetheless, “we have not attributed TA505’s early operations to FIN11 and caution against conflation of the two clusters,” Mandiant said in its full report on FIN11.

Latest Podcasts