Notorious Cyber Gang FIN7 Returns Cl0p Ransomware in New Wave of Attacks
The cybercrime group FIN7 has been observed deploying Cl0p ransomware, marking its first ransomware campaign since late 2021. Microsoft detected the activity in April 2023 and is tracking the group under the new taxonomy Sangria Tempest. In recent attacks, Sangria Tempest used the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and gain a foothold in target networks. The group then used OpenSSH and Impacket to move laterally and deploy Clop ransomware. FIN7 has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, acting as a precursor for Maze and Ryuk ransomware attacks. Active since 2012, the group targets a wide range of organizations across various sectors. It is also known for setting up fake security companies to recruit employees for conducting ransomware attacks and other operations. IBM Security X-Force revealed that members of the now-defunct Conti ransomware gang are using a new malware called Domino developed by the cybercrime cartel. FIN7's use of POWERTRASH to deliver Lizar was highlighted by WithSecure in connection with attacks exploiting a high-severity flaw in Veeam Backup & Replication software (CVE-2023-27532) to gain initial access. This development indicates FIN7's continued reliance on various ransomware families and a shift in its monetization strategy from payment card data theft to extortion. Malware: Clop(Linux), Cl0p, Clop, Clop(Windows), LockBit(MacOS), LockBit, LockBit(Windows), LockBit(Linux), REvil(Linux), REvil, Conti(Linux), Conti, POWERTRASH, DarkSide(Windows), DarkSide, BlackBasta(Windows), Black Basta, REvil(Windows), DarkSide(Linux), Lizar, Conti(Windows), BlackBasta(Linux), Maze, Carbanak, DICELOADER, Ryuk, Tirion CVEs: CVE-2023-27350, CVE-2023-27532 [View Article](https://thehackernews.com/2023/05/notorious-cyber-gang-fin7-returns-cl0p.html)