© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Inside FIN7 gang: death threats and Colonial Pipeline links


Notorious cybercrime gang FIN7 has proven links with major ransomware gangs such as LockBit, Darkside, and REvil. The group also doesn’t shy away from motivating its members with death, researchers claim.

Russian advanced persistent threat (APT) group FIN7, known for ransomware, espionage, and creating fake infosec firms to trick security experts, had researchers penetrating their inner world.

The threat intelligence team at cybersecurity company Prodaft Cyber analyzed thousands of inside conversations between FIN7 members to paint a dark picture of a ruthless criminal gang interlinked with major global ransomware cartels.

“We think FIN7 consisted of real-life gangs, not only cybercriminals. They operate safe houses, conduct money laundering activities, use guns, or make kidnapping attempts, so their activities definitely span beyond the cybersphere,” Prodaft researchers told Cybernews.

Rough management

The Prodaft’s report reveals that working for the cyber underworld, just as for any other criminal gang, carries sinister implications. In one of the chat logs, the group administrator threatens the team members to work more by giving ultimatums.

“If you suddenly do not work or disappear, then we can go to extreme measures, at first we will kill one of the closest relatives (parents), and we will put you in the basement and [you] will slave for free,” FIN7 administrator wrote.

According to the researchers, the group’s boss, Alex, lives in Russia, while most pen-testers and developers live in Ukraine.

“Since some people live in the Russian-occupied regions of Ukraine, managers clearly stated that they can easily kidnap and torture team members,” researchers told Cybernews.

Unsurprisingly, Russia’s war in Ukraine is scarcely discussed by the group members, with leaders referring to the Russian invasion as a “serious situation” or “bad environment.” However, researchers noted that there’s no indication any of the FIN7 directly works for the Russian government.

“If you suddenly do not work or disappear, then we can go to extreme measures, at first we will kill one of the closest relatives (parents), and we will put you in the basement and [you] will slave for free.”

FIN7 administrator wrote.

Developed structure

FIN7 organization envelopes at least 31 members, with expressed roles for top management, developers, penetration testers, and affiliates, the report shows.

The alleged leader, “Alex,” is supposed to be the ringleader, responsible for infiltration and ransomware attacks on corporations, and is heavily involved in the attacks themselves.

Another gang member, “Rash,” acts as the money man in charge of ransomware operations. The threat actor is suspected of being involved with the now-defunct ransomware cartel REvil and the notorious LockBit gang.

According to the researchers, threat actors under Rash’s authority don’t know how much money their attacks net and how the loot is distributed.

The organization’s third leader, “Sergey-Oleg,” is a tailored access specialist responsible for assigning tasks to other group members. Researchers believe that he is instrumental in breaching high-value targets.

“Since some people live in the Russian-occupied regions of Ukraine, managers clearly stated that they can easily kidnap and torture team members.”

researchers told Cybernews.

Interlinked nature

Researchers told Cybernews that FIN7 works with different ransomware teams and sometimes even operates their own groups. High-rank officers of FIN7 facilitate collaboration, and managers handle the distribution of tasks.

“This situation creates a perception that makes their team resilient against the sanctions. It’s similar to Evil Corp, which regularly changes its ransomware stack. When we need to profile a ransomware team based on their tactics, techniques, and procedures, we cannot solely combine their activities into a single entity,” researchers explained.

The evasive methods employed by criminals pose difficulties for researchers since there are no clear lines when it comes to ‘different’ ransomware cartels, as they often cooperate and assist each other in conducting attacks and other malicious activities.

Researchers spotted numerous cases where FIN7 members discussed involvement in attacks attributed to other ransomware groups.

For example, a 2020 chat clearly indicates that the group’s members took part in an attack against FARO Technologies, a company that was posted on REvil’s leak site.

Report’s authors claim that FIN7 members discussed the infamous Colonial Pipeline attack by the Darkside ransomware cartel. Researchers even found a text file named darkside_readme.txt was discovered in the infrastructure of the FIN7 team.


More from Cybernews:

Shoemaker Ecco leaks over 60GB of sensitive data for 500+ days

Reaching for the sky: FCC proposes record $300m fine against robocall campaign

Okta acknowledges breach of company’s code repositories

Skin-whitening product app leaks customer data

Kremlin’s most notorious hacker: will Yakubets ever face justice?

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked