Security Research Banner

FIN11 is a financially motivated cybercriminal group, active since at least 2016. The group has been responsible for various attacks, including ransomware, data theft, and business email compromise (BEC) scams. In this blog, we will take a closer look at FIN11, including their tactics, techniques, and procedures (TTPs) and the potential impact of their attacks.

FIN11 Background

FIN11 is a financially motivated threat actor known for targeting organisations in the financial, retail, hospitality, and healthcare sectors. 

The group has been active since at least 2016 and is known to be based in Eastern Europe. While the group primarily targets organisations in Europe and North America, they have also been targeting Asia and Middle East.

Tactics, Techniques, and Procedures (TTPs) of FIN11

FIN11 has a range of TTPs that they use to conduct their attacks. Some of the most common techniques used by FIN11 includes:

  1. Phishing emails: FIN11 commonly uses phishing emails to deliver malware, steal credentials, and conduct BEC scams. The emails often appear to be from a legitimate source, such as a bank or vendor and include a malicious attachment or link. 
  2. Malware: FIN11 has used a range of malware, including the FlawedAmmyy RAT, the Cobalt Strike Beacon, and the SDBbot RAT. The group often uses custom malware specifically designed to evade detection by anti-virus software.
  3. Ransomware: FIN11 has been known to use ransomware, such as the CLOP and FiveHands ransomware, to encrypt the victim's data and demand a ransom payment in-exchange for the decryption key. 
  4. Business email compromise (BEC) scams: FIN11 has conducted BEC scams by impersonating senior executives and requesting fraudulent wire transfers or sensitive information.

What's the Impact of FIN11 attacks. 

The impact of FIN11 attacks can be significant for organisations. In addition to the financial losses incurred from ransom payments or fraud, organisations can suffer reputational damage and loss of customer trust. The theft of sensitive data can also result in regulatory fines and legal action. The impact of a successful FIN11 attack can be particularly severe for small and medium-sized businesses that may not have the resources to recover from a cyberattack.

How to protect your business against FIN11 attacks 

To protect against FIN11 attacks, organisations should take the following steps: 

  1. Email security: Organisations should implement email security measures, such as anti-spam filters and anti-phishing solutions, to help detect and prevent phishing emails from reaching employees. 
  2. Keep software up to date: Keep your software and operating systems up to date to reduce the risk of exploitation of known vulnerabilities. 
  3. Use multi-factor authentication: Multi-Factor Authentication (MFA) can help prevent unauthorized access to accounts and reduce the risk of BEC scams. 
  4. Backup data regularly: Regularly backing up data can help organisations recover from a ransomware attack without paying the ransom. 
  1. Train employees: Conduct Cybersecurity Awareness Training for employees by experts. Trains employees to recognize and report phishing emails and other suspicious activity.


FIN11 is a financially motivated cybercriminal group that uses a range of tactics, techniques, and procedures to attack organisations. By implementing strong security measures and training employees, organisations can minimize the risk of a FIN11 attack and protect their data from theft and ransomware encryption. Reduce attack surface with good segmentation, keep software up to date and implement a robust Network Detection and Response program alongside your Endpoint Detection and Response can help reduce the risk of loss from an attack.

Sign up for our Weekly Threat Intelligence Report to stay updated.

Date Published
February 22, 2023