FIN11

Background

FIN11 is a financially motivated cybercrime group that Mandiant publicly identified in 2020, though the group's operations date back to at least 2016. The group is primarily known as the operator behind many of the most impactful Cl0p ransomware deployments and mass exploitation campaigns targeting managed file transfer (MFT) platforms. FIN11 is widely assessed to operate from Russia or a CIS country and is tracked by Microsoft under the designator Lace Tempest.

The group has evolved significantly over its operational lifespan. Early operations focused on high-volume phishing campaigns delivering banking trojans (FlawedAmmyy) and SDBot malware against financial institutions, retail, and restaurant companies. By 2020-2021, FIN11 pivoted toward deploying Cl0p ransomware for double-extortion attacks. By 2023, the group had transitioned to mass exploitation of zero-day vulnerabilities in file transfer software as its primary monetization strategy, affecting hundreds of organizations simultaneously.

FIN11 is notable for operating at exceptional scale. The GoAnywhere MFT exploitation campaign in early 2023 affected over 130 organizations, and the MOVEit Transfer zero-day exploitation in May 2023 affected over 2,000 organizations globally, making it one of the largest single cyber intrusion campaigns in history.

Notable Campaigns

GoAnywhere MFT Zero-Day Exploitation (February 2023): FIN11 exploited CVE-2023-0669, a zero-day in Fortra's GoAnywhere MFT platform, to steal data from over 130 organizations within two weeks. Victims included Rubrik, Procter & Gamble, Community Health Systems, and the City of Toronto. The group used a web shell named DEWMODE to extract files from GoAnywhere instances.

MOVEit Transfer Zero-Day Campaign (May-June 2023): FIN11 exploited CVE-2023-34362 in Progress Software's MOVEit Transfer platform, affecting over 2,000 organizations across government, healthcare, financial services, and education sectors. Victims included the U.S. Department of Energy, the BBC, British Airways, Shell, and multiple state governments. The campaign demonstrated unprecedented scale for a ransomware-affiliated group.

Accellion FTA Exploitation (December 2020 - January 2021): FIN11 exploited multiple zero-days in the legacy Accellion File Transfer Appliance to steal data from over 100 organizations. Unlike typical ransomware attacks, this campaign involved pure data theft and extortion without encryption, presaging the group's later MFT exploitation strategy.

High-Volume Phishing Campaigns (2016-2020): FIN11 ran some of the highest-volume phishing campaigns recorded, distributing tens of millions of malicious emails per campaign. These operations targeted financial services, retail, and restaurant sectors, delivering FlawedAmmyy and SDBot as precursors to banking fraud and later ransomware deployment.

Tactics, Techniques & Procedures

FIN11's modern modus operandi centers on identifying and exploiting zero-day vulnerabilities in enterprise file transfer and managed file transfer software (T1190). Once a zero-day is weaponized, the group moves at exceptional speed, exploiting vulnerable instances at scale before patches are widely applied. Web shells (DEWMODE, LEMURLOOT) are deployed to enable persistent access and data exfiltration from compromised file transfer systems.

For targeted ransomware deployments, FIN11 uses spearphishing (T1566.001) and high-volume malspam campaigns to deliver initial access malware. Post-compromise activity follows a structured approach: credential harvesting, network reconnaissance, lateral movement with Cobalt Strike, and deployment of Cl0p ransomware for encryption. The group exfiltrates data before encryption using cloud storage services (T1567.002).

FIN11 is notable for operating with minimal dwell time during MFT exploitation campaigns, often completing data theft within hours of initial access without escalating to ransomware deployment.

Tools & Malware

• Cl0p Ransomware: The group's primary ransomware payload, used in targeted double-extortion attacks. Encrypts files and uses a dedicated leak site to pressure non-paying victims.
• DEWMODE / LEMURLOOT: Custom web shells deployed on compromised GoAnywhere and MOVEit Transfer servers for data exfiltration.
• FlawedAmmyy: Custom remote access trojan derived from leaked Ammyy Admin source code, used in early financial targeting campaigns.
• SDBot: IRC-based backdoor used as a secondary access mechanism in early campaigns.
• FRIENDSPEAK / MIXLABEL: Custom downloader and loader tools used in phishing delivery chains.
• Cobalt Strike: Commercial post-exploitation framework used in targeted ransomware deployment campaigns.

Indicators & Detection

Detection of FIN11 activity requires monitoring across multiple attack surfaces. For MFT platforms, apply vendor-supplied IoCs immediately upon disclosure of vulnerabilities in GoAnywhere MFT, MOVEit Transfer, Accellion FTA, and similar products. Monitor IIS and application logs on file transfer servers for unusual ASPX web shell activity, particularly POSTing to system directories.

Network monitoring should flag bulk outbound HTTP/HTTPS transfers from file transfer server IP addresses to cloud storage services. Endpoint detection on MFT servers should alert on unexpected process execution, particularly PowerShell or command shell spawned by the file transfer application process.

Patch management velocity is the primary mitigation: FIN11 exploits zero-days during the window between public disclosure and patching. Organizations using GoAnywhere, MOVEit, or similar platforms should subscribe to vendor security bulletins and treat critical MFT vulnerabilities as emergency patch priorities.