The longstanding FIN7 threat group resumed operations in 2024 and is driving an increase in Cl0p ransomware attacks. While the US Attorney for Washington state declared FIN7 “an entity no more” in May 2023, the group became increasingly active in April 2024. Starting in May 2024, Arete observed an increase in FIN7’s trojan communicating from victim environments two to three months prior to those victims being posted to the Cl0p extortion group’s data leak site (DLS).
Separately, the Cl0p group rose to prominence in June 2023 after exploiting a vulnerability in the MOVEit file transfer software. In 2024, Cl0p returned to ransomware deployment operations, with a steady rate of attacks that have increased since June 2024. Importantly, not all Cl0p ransomware attacks are perpetrated by FIN7, and not all FIN7 operations are conducted with the Cl0p group. However, the combination of these threat actors presents an elevated threat to victims due to their deep combined experience in attacking victims.
What’s New and Notable
- FIN7 began operating in 2013, but took a nearly year-long hiatus from operations before reestablishing itself in April 2024. Its recent operations are focused on creating malicious advertisements (malvertising) to deliver trojanized applications that give the threat actor access to the victim environment.
- One malvertising campaign is delivering a trojan which is commonly observed communicating from a victim environment two to three months prior to the victim appearing on the Cl0p group’s DLS.
- In addition to distributing a trojan used prior to a Cl0p ransomware infection, FIN7 is selling an endpoint detection and response (EDR) bypass and evasion tool on dark web forums.
- After conducting primarily extortion-only attacks in 2023, the Cl0p group returned to exfiltrating and encrypting data in its recent attacks.
Analyst Comments
FIN7 is an example of an established cybercriminal group whose operations span a broad scope of monetization schemes. The group deploys ransomware, operates ransomware brands, conducts payment fraud, and sells tools other threat actors can use to target victims. With over a decade of experience in the cybercriminal ecosystem and multiple law enforcement actions against them, the group remains sophisticated and viable. Their partnership with Cl0p further magnifies the potential damage these threat actors can inflict. Organizations can defend themselves prior to data exfiltration and encryption by monitoring for suspicious outbound connections to foreign IP addresses.
References:
FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks
FIN7 Recruits Talent For Push Into Ransomware
Profile for ransomware group : clop
The Stark Truth Behind the Resurgence of Russia’s Fin7
Russia-linked FIN7 hackers sell their security evasion tool to other groups on darknet
Related Resources
![]()
Iranian Hackers Working with Ransomware Groups
An Iranian threat group linked to the GOI collaborates with ransomware affiliates, aiding network access and extortion for a ransom share.
Read more![]()
Automotive Industry Faces Increased Cyberattacks
Recent ransomware attacks have severely impacted the automotive industry, disrupting car and parts availability, dealership operations, and global economies.
Read more![]()
Malware Spotlight: Fog Ransomware
The Fog ransomware group is one of the few threat actors targeting one industry: education. This spotlight explores the group’s observed behavior, background information on the threat actor, and a technical analysis of Fog’s ransomware executable.
Read more
