BIPI
BIPI

FIN7: From Card Skimming to Ransomware Affiliate

Threat Intelligence

FIN7 spent a decade perfecting card-skimming malware. In 2024, the same crew shows up as a ransomware affiliate selling EDR-killers on underground forums. The pivot tells you everything about the economics of e-crime.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 6, 2024 · 8 min read

#fin7#retail#blackcat#threat-intelligence

FIN7 is the case study for how financially motivated cybercrime evolves with the market. The same group that ran Carbanak against banks and stole 15 million payment cards from Chipotle, Arby's, and Saks Fifth Avenue has rebranded as a ransomware service provider. The TTPs evolved. The crew did not.

Actor Profile

FIN7, also tracked as Carbon Spider, Sangria Tempest, ITG14, and (when blurring into corporate front ops) Combi Security. The group has been active since 2013, ran fake penetration testing firms (Combi Security, Bastion Secure) to recruit unwitting talent, and has had multiple senior members arrested or sentenced in the US between 2018 and 2023. Despite arrests, operational continuity is preserved through new affiliates and rebrands.

Attribution caveat: post-2020 FIN7 overlaps significantly with Conti, Ryuk, REvil, and ALPHV/BlackCat affiliate operations. The crew sells access and tooling, not just runs end-to-end campaigns.

TTPs

Modern FIN7 is a toolmaker as much as an operator. The 2024 toolkit is a mix of bespoke implants and exploitation of recent vendor vulnerabilities.

  • AvNeutralizer (aka AuKill): EDR-killing driver tool sold to other ransomware crews, observed used by AvosLocker, MedusaLocker, BlackBasta
  • BadUSB devices mailed to victim staff disguised as Best Buy or Amazon gift packages (MITRE T1200)
  • Exploitation of PaperCut MF/NG (CVE-2023-27350) for initial access into print servers
  • Spear-phishing with malicious LNK files inside ZIPs, executing PowerShell loaders (Powerplant, Carbanak)
  • Cobalt Strike for post-exploitation, then handoff to ransomware affiliate (ALPHV, REvil, RansomHub)

Notable Victims

Historical: Chipotle, Arby's, Red Robin, Saks Fifth Avenue, Lord and Taylor, Caesars Entertainment, Hudson's Bay. Recent: multiple hospitality, retail, and BPO targets tied to BlackCat/ALPHV affiliate incidents in 2023 and 2024, including operations against Las Vegas hospitality (separate from but coinciding with the Scattered Spider activity), several manufacturing firms, and law firms with high-value M&A data.

Arresting three operators does not dismantle FIN7. It dismantles three operators.

Detection Signals

FIN7's modern tradecraft creates strong telemetry if you are watching driver loads and unusual physical-media events.

  • Loading of vulnerable signed drivers (TrueSight RC, AvNeutralizer variants) followed by EDR service stops
  • USB HID enumeration from a device claiming to be a keyboard injecting commands in the first 30 seconds
  • PaperCut user-facing process spawning PowerShell or cmd.exe
  • Cobalt Strike beacon callbacks to newly registered domains with hospitality or retail-themed names
  • Lateral movement using rclone or MEGAsync to stage exfil before encryption

Defensive Controls

The retail and hospitality sectors remain FIN7's home turf. Defense is layered, and physical media is part of the threat model.

  1. Enable Microsoft Vulnerable Driver Blocklist and EDR's own driver block policy. AvNeutralizer relies on legitimate but exploitable drivers.
  2. Train mailroom staff to escalate any unexpected USB media. The BadUSB lure works because nobody flags packages.
  3. Patch PaperCut, ConnectWise ScreenConnect, and other internet-exposed admin software within 48 hours of vendor advisory.
  4. Segment POS and back-office networks. Card data environments should not share Active Directory trust with corporate.
  5. Monitor outbound transfers to rclone-friendly cloud storage (MEGA, pCloud, Backblaze B2) from servers.

If your sector touches payment cards, hospitality, or retail logistics, FIN7 is on your threat model whether you wrote them down or not. The crew has outlasted every law enforcement action against it and now sells the tooling that other crews use to extort your competitors.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.