FIN11 Spun Out From TA505 Umbrella as Distinct Attack Group
Researchers have declared that FIN11 now represents a separate threat actor group and has split off from the cybercrime group known as TA505. Although there are similarities in the techniques and identifying tactics of the two groups, researchers have determined that they are two distinct and separate operating entities with different goals. FIN11 is financially motivated, while TA505 is notorious for its large-scale and sophisticated phishing campaigns distributing Dridex and various ransomware variants.
Researchers now believe that some attacks previously attributed to TA505 may have actually been the work of FIN11, especially those that utilized a set of malware variants unique to FIN11. FIN11 now primarily focuses on ransomware and extortion, hoping to benefit financially rather than leverage sensitive information for political or other purposes.