FIN7
High ConfidenceHigh ThreatCarbanak • Carbon Spider • Sangria Tempest • ELBRUS • ITG14
FIN7 is a sophisticated and financially motivated cybercrime group that has been active since at least 2013. The group is of Russian origin and is also known by various other names, including Carbanak Group, Navigator Group, and Carbon Spider. Initially, FIN7 focused on the retail and hospitality sectors, employing custom malware to steal payment card data from point-of-sale (POS) systems. Over the years, the group has expanded its targeting to include a wide range of industries, such as software, consulting, financial services, and more. Their tactics have evolved from POS data theft to "big game hunting," which involves targeted ransomware attacks against large organizations, demanding multi-million dollar ransoms. FIN7 is known for its advanced capabilities, including the use of a front company, Combi Security, to recruit unwitting security researchers and use them in their operations. The group has demonstrated a high level of operational security, using various techniques to hide their activities and infrastructure. Their malware arsenal is extensive and includes custom backdoors, loaders, and ransomware. Despite the arrests of some of its members, FIN7 has proven to be a resilient and adaptive threat, continuously evolving its tactics and tools to remain effective.
FIN7 is a sophisticated and financially motivated cybercrime group that has been active since at least 2013. The group is of Russian origin and is also known by various other names, including Carbanak Group, Navigator Group, and Carbon Spider. Initially, FIN7 focused on the retail and hospitality sectors, employing custom malware to steal payment card data from point-of-sale (POS) systems. Over the years, the group has expanded its targeting to include a wide range of industries, such as software, consulting, financial services, and more. Their tactics have evolved from POS data theft to "big game hunting," which involves targeted ransomware attacks against large organizations, demanding multi-million dollar ransoms. FIN7 is known for its advanced capabilities, including the use of a front company, Combi Security, to recruit unwitting security researchers and use them in their operations. The group has demonstrated a high level of operational security, using various techniques to hide their activities and infrastructure. Their malware arsenal is extensive and includes custom backdoors, loaders, and ransomware. Despite the arrests of some of its members, FIN7 has proven to be a resilient and adaptive threat, continuously evolving its tactics and tools to remain effective.
Target Sectors
Target Regions
Attributed to Cybercriminal (No State Sponsor) (Russia). Attribution confidence: High.
Future Outlook
FIN7 is expected to continue operations targeting Retail sectors.
First observed activity of FIN7
Continued active operations