Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,[1] business email compromise (BEC) and fraud,[2] "pig butchering,"[3] bank hacking,[4] and exploiting cryptocurrency networks.[5]
Adversaries may Compromise Accounts to conduct unauthorized transfers of funds.[6] In the case of business email compromise or email fraud, an adversary may utilize Impersonation of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.[2] This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.[7]
Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after Data Encrypted for Impact [8] and Exfiltration of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.[9] Adversaries may use dedicated leak sites to distribute victim data.[10]
Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as Data Destruction and business disruption.[11]
ID | Name | Description |
---|---|---|
G1024 | Akira |
Akira engages in double-extortion ransomware, exfiltrating files then encrypting them, in order to prompt victims to pay a ransom.[12] |
G1021 | Cinnamon Tempest |
Cinnamon Tempest has maintained leak sites for exfiltrated data in attempt to extort victims into paying a ransom.[13] |
S1111 | DarkGate |
DarkGate can deploy payloads capable of capturing credentials related to cryptocurrency wallets.[14] |
G1016 | FIN13 |
FIN13 has observed the victim's software and infrastructure over several months to understand the technical process of legitimate financial transactions, prior to attempting to conduct fraudulent transactions.[15] |
G1026 | Malteiro |
Malteiro targets organizations in a wide variety of sectors via the use of Mispadu banking trojan with the goal of financial theft.[16] |
G1015 | Scattered Spider |
Scattered Spider has deployed ransomware on compromised hosts for financial gain.[17][18] |
G0083 | SilverTerrier |
SilverTerrier targets organizations in high technology, higher education, and manufacturing for business email compromise (BEC) campaigns with the goal of financial theft.[19][20] |
ID | Mitigation | Description |
---|---|---|
M1018 | User Account Management |
Limit access/authority to execute sensitive transactions, and switch to systems and procedures designed to authenticate/approve payments and purchase requests outside of insecure communication lines such as email. |
M1017 | User Training |
Train and encourage users to identify social engineering techniques used to enable financial theft. Also consider training users on procedures to prevent and respond to swatting and doxing, acts increasingly deployed by financially motivated groups to further coerce victims into satisfying ransom/extortion demands.[21][22] |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0015 | Application Log | Application Log Content |
Review and monitor financial application logs for signs of financial theft, such as abnormal monetary transactions or resource balances. Email logs may also highlight account takeovers, impersonation, or another activity that may enable monetary theft. |