Notorious hacking group FIN7 adds ransomware to its repertoire

Ransomware strains such as Maze, Ryuk and BlackCat have increasingly been part of FIN7's playbook in recent years, Mandiant says.
malware, network, ransomware, virus, FIN7
(Getty Images)

The long-running cybercrime group FIN7, known for breaking into payment systems and corporate networks, has been moving into ransomware operations, according to researchers at security firm Mandiant.

The company said it has identified increased data-theft extortion or ransomware deployment associated with FIN7 attacks in recent years. Ransomware strains used in connection with the group’s operators include Maze, Ryuk and ALPHV — also known as BlackCat — the researchers said Monday.

“Throughout their evolution, FIN7 has increased the speed of their operational tempo, the scope of their targeting, and even possibly their relationships with other ransomware operations in the cybercriminal underground,” researchers note.

Experts noted a major indicator that the group was transitioning into ransomware in the fall when researchers at Recorded Future unmasked a company called Bastion Secure as a front for the group’s efforts to hire hacking talent. Researchers believe that FIN7 was responsible for the software behind the hack of major East Coast fuel provider Colonial Pipeline by ransomware group DarkSide. Mandiant’s research also connects FIN7 to DarkSide.


FIN7 gained notoriety for a spree of campaigns starting in 2014 that helped the group rack up more than $1 billion in stolen funds from more than 100 companies internationally. The group’s methods have ranged from hacking into point-of-sale systems to posing as government officials to trick employees into opening malware.

But the group suffered some setbacks after U.S. officials nabbed two of FIN7’s top leaders. The United States prosecuted one leader of the gang, Ukrainian Andrii Kolpakov, in 2021. Kolpakov oversaw a team of hackers who between 2016 and 2018 breached U.S. corporations including Chipotle, resulting in huge losses. Another member, Denys Iarmak, pleaded guilty to federal charges in November.

Also new to FIN7’s technique is the group’s use of supply chain compromise to gain additional system access, Mandiant said. In one case, FIN7 actors compromised a website that sells digital products and modified multiple download links to point to an Amazon S3 bucket hosting a malware installer. Hackers then later remotely deployed Powerplant, a “vast backdoor framework with a breadth of capabilities” researchers describe as unique to FIN7.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts