1. Home
  2. Techniques
  3. Enterprise
  4. Financial Theft

Financial Theft

Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,[1] business email compromise (BEC) and fraud,[2] "pig butchering,"[3] bank hacking,[4] and exploiting cryptocurrency networks.[5]

Adversaries may Compromise Accounts to conduct unauthorized transfers of funds.[6] In the case of business email compromise or email fraud, an adversary may utilize Impersonation of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.[2] This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.[7]

Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after Data Encrypted for Impact [8] and Exfiltration of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.[9] Adversaries may use dedicated leak sites to distribute victim data.[10]

Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as Data Destruction and business disruption.[11]

ID: T1657
Sub-techniques:  No sub-techniques
Tactic: Impact
Platforms: Linux, Office Suite, SaaS, Windows, macOS
Impact Type: Availability
Contributors: Blake Strom, Microsoft Threat Intelligence; Menachem Goldstein; Pawel Partyka, Microsoft Threat Intelligence
Version: 1.2
Created: 18 August 2023
Last Modified: 15 October 2024
Version Permalink

Procedure Examples

ID Name Description
G1024 Akira

Akira engages in double-extortion ransomware, exfiltrating files then encrypting them, in order to prompt victims to pay a ransom.[12]
G1021 Cinnamon Tempest

Cinnamon Tempest has maintained leak sites for exfiltrated data in attempt to extort victims into paying a ransom.[13]
S1111 DarkGate

DarkGate can deploy payloads capable of capturing credentials related to cryptocurrency wallets.[14]
G1016 FIN13

FIN13 has observed the victim's software and infrastructure over several months to understand the technical process of legitimate financial transactions, prior to attempting to conduct fraudulent transactions.[15]
G1032 INC Ransom

INC Ransom has stolen and encrypted victim's data in order to extort payment for keeping it private or decrypting it.[16][17][18][19][20]
G0094 Kimsuky

Kimsuky has stolen and laundered cryptocurrency to self-fund operations including the acquisition of infrastructure.[21]
G1026 Malteiro

Malteiro targets organizations in a wide variety of sectors via the use of Mispadu banking trojan with the goal of financial theft.[22]
G1040 Play

Play demands ransom payments from victims to unencrypt filesystems and to not publish sensitive data exfiltrated from victim networks.[23]
G1015 Scattered Spider

Scattered Spider has deployed ransomware on compromised hosts for financial gain.[24][25]
G0083 SilverTerrier

SilverTerrier targets organizations in high technology, higher education, and manufacturing for business email compromise (BEC) campaigns with the goal of financial theft.[26][27]

Mitigations

ID Mitigation Description
M1018 User Account Management

Limit access/authority to execute sensitive transactions, and switch to systems and procedures designed to authenticate/approve payments and purchase requests outside of insecure communication lines such as email.
M1017 User Training

Train and encourage users to identify social engineering techniques used to enable financial theft. Also consider training users on procedures to prevent and respond to swatting and doxing, acts increasingly deployed by financially motivated groups to further coerce victims into satisfying ransom/extortion demands.[28][29]

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Review and monitor financial application logs for signs of financial theft, such as abnormal monetary transactions or resource balances.

Email logs may also highlight account takeovers, impersonation, or another activity that may enable monetary theft.

References

  1. FBI. (n.d.). Ransomware. Retrieved August 18, 2023.
  2. FBI. (2022). FBI 2022 Congressional Report on BEC and Real Estate Wire Fraud. Retrieved August 18, 2023.
  3. Lily Hay Newman. (n.d.). ‘Pig Butchering’ Scams Are Now a $3 Billion Threat. Retrieved August 18, 2023.
  4. Department of Justice. (2021). 3 North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyber-attacks and Financial Crimes Across the Globe. Retrieved August 18, 2023.
  5. Joe Tidy. (2022, March 30). Ronin Network: What a $600m hack says about the state of crypto. Retrieved August 18, 2023.
  6. IC3. (2022). 2022 Internet Crime Report. Retrieved August 18, 2023.
  7. CloudFlare. (n.d.). What is vendor email compromise (VEC)?. Retrieved September 12, 2023.
  8. Nicole Perlroth. (2021, May 13). Colonial Pipeline paid 75 Bitcoin, or roughly $5 million, to hackers.. Retrieved August 18, 2023.
  9. DANIEL KAPELLMANN ZAFRA, COREY HIDELBRANDT, NATHAN BRUBAKER, KEITH LUNDEN. (2022, January 31). 1 in 7 OT Ransomware Extortion Attacks Leak Critical Operational Technology Information. Retrieved August 18, 2023.
  10. Crowdstrike. (2020, September 24). Double Trouble: Ransomware with Data Leak Extortion, Part 1. Retrieved December 6, 2023.
  11. FRANK BAJAK AND RAPHAEL SATTER. (2017, June 30). Companies still hobbled from fearsome cyberattack. Retrieved August 18, 2023.
  12. Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024.
  13. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  14. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  15. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  1. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  2. Toulas, B. (2024, March 27). INC Ransom threatens to leak 3TB of NHS Scotland stolen data. Retrieved June 5, 2024.
  3. Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
  4. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
  5. SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
  6. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  7. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  8. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  9. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  10. Trellix et. al.. (2023, August 17). Scattered Spider: The Modus Operandi. Retrieved March 18, 2024.
  11. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
  12. Renals, P., Conant, S. (2016). SILVERTERRIER: The Next Evolution in Nigerian Cybercrime. Retrieved November 13, 2018.
  13. CISA. (2023, August). Cyber Safety Review Board: Lapsus. Retrieved January 5, 2024.
  14. Giles, Bruce. (2024, January 4). Hackers threaten to send SWAT teams to Fred Hutch patients' homes. Retrieved January 5, 2024.