{ "id": "ae7e020f-3ecc-410c-857e-faa15403f0be", "created_at": "2026-04-06T00:19:15.489079Z", "updated_at": "2026-04-10T03:33:53.581463Z", "deleted_at": null, "sha1_hash": "81eddb4a3bd696ddb94a63aa5f75699f2e8b8b75", "title": "Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 322053, "plain_text": "Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to\r\nRyuk and LockerGoga Ransomware\r\nBy Mandiant\r\nPublished: 2019-04-05 · Archived: 2026-04-05 18:17:08 UTC\r\nWritten by: Brendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson,\r\nDouglas Bienstock\r\nSummary\r\nRecently, FireEye Managed Defense detected and responded to a FIN6 intrusion at a customer within the\r\nengineering industry, which seemed out of character due to FIN6’s historical targeting of payment card data. The\r\nintent of the intrusion was initially unclear because the customer did not have or process payment card data.\r\nFortunately, every investigation conducted by Managed Defense or Mandiant includes analysts from our FireEye\r\nAdvanced Practices team who help correlate activity observed in our hundreds of investigations and voluminous\r\nthreat intelligence holdings. Our team quickly linked this activity with some recent Mandiant investigations and\r\nenabled us to determine that FIN6 has expanded their criminal enterprise to deploy ransomware in an attempt to\r\nfurther monetize their access to compromised entities.\r\nThis blog post details the latest FIN6 tactics, techniques, and procedures (TTPs), including ties to the use of\r\nLockerGoga and Ryuk ransomware families. It also highlights how early detection and response combined with\r\nthreat intelligence gives Managed Defense customers a decisive advantage in stopping intruders before their goals\r\nmanifest. In this instance, Managed Defense thwarted a potentially destructive attack that could have cost our\r\ncustomer millions of dollars due to business disruption.\r\nDetection and Response\r\nManaged Defense worked in tandem with the customer’s security team to acquire relevant log data, share findings\r\nfrom system analysis, and answer critical investigative questions. The customer was also undergoing a penetration\r\ntest, so additional scrutiny was required in order to delineate between authorized testing activity and unauthorized\r\nactivity attributed to FIN6. Our customer provided valuable insight into the role and importance of affected\r\nsystems in preparation for entering Rapid Response. Rapid Response is a service offering that delivers incident\r\nresponse support to Managed Defense customers. As with any incident response service, the primary goal is to\r\nscope of the nature of the identified malicious activity and to assist our customers with a successful eradication\r\nevent to eliminate the presence of adversaries.\r\nManaged Defense, utilizing FireEye Endpoint Security technology, detected and responded to the threat activity\r\nidentified within the customer’s environment. The subsequent investigation revealed FIN6 was in the initial phase\r\nof an intrusion using stolen credentials, Cobalt Strike, Metasploit, and publicly available tools such as Adfind and\r\n7-Zip to conduct internal reconnaissance, compress data, and aid their overall mission.\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\r\nPage 1 of 7\n\nManaged Defense investigated activity on two systems initially detected as compromised by FireEye Endpoint\r\nSecurity, the industry leading endpoint security solution that was ranked as the most effective endpoint detection\r\nand response (EDR) solution. The activity was detected by comprehensive real time methodology signatures\r\ndesigned to identify the most evasive adversary techniques. Pivoting from these initial leads, analysts identified\r\nsuspicious SMB connections and Windows Registry artifacts that indicated the attacker had installed malicious\r\nWindows services to execute PowerShell commands on remote systems. Windows Event Log entries revealed the\r\nuser account details responsible for the service installation and provided additional IOCs (Indicators of\r\nCompromise) to assist Managed Defense in scoping the compromise and identifying other systems accessed by\r\nFIN6. Managed Defense utilized Windows Registry Shellbag entries to reconstruct FIN6’s actions on\r\ncompromised systems that were consistent with lateral movement.\r\nAttack Lifecycle\r\nInitial Compromise, Establish Foothold, and Escalate Privileges\r\nTo initially gain access to the environment, Managed Defense analysts identified that FIN6 compromised an\r\ninternet facing system. Following the compromise of this system, analysts identified FIN6 leveraged stolen\r\ncredentials to move laterally within the environment using the Windows’ Remote Desktop Protocol (RDP).\r\nFollowing the RDP connection to systems, FIN6 used two different techniques to establish a foothold:\r\nFirst technique: FIN6 used PowerShell to execute an encoded command. The command consisted of a byte array\r\ncontaining a base64 encoded payload shown in Figure 1.\r\nFigure 1: Base64 encoded command\r\nThe encoded payload was a Cobalt Strike httpsstager that was injected into the PowerShell process that ran the\r\ncommand. The Cobalt Strike httpsstager was configured to download a second payload from\r\nhxxps://176.126.85[.]207:443/7sJh. FireEye retrieved this resource and determined it was a shellcode payload\r\nconfigured to download a third payload from hxxps://176.126.85[.]207/ca. FireEye was unable to determine the\r\nfinal payload due to it no longer being hosted at the time of analysis.\r\nSecond technique: FIN6 also leveraged the creation of Windows services (named with a random 16-character\r\nstring such as IXiCDtPbtGWnrAGQ) to execute encoded PowerShell commands. The randomly named service is\r\na by-product of using Metasploit, which creates the 16-character service by default. The encoded command\r\ncontained a Metasploit reverse HTTP shellcode payload stored in a byte-array like the first technique. The\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\r\nPage 2 of 7\n\nMetasploit reverse HTTP payload was configured to communicate with the command and control (C2) IP address\r\n176.126.85[.]207 with a randomly named resource such as “/ilX9zObq6LleAF8BBdsdHwRjapd8_1Tl4Y-9Rc6hMbPXHPgVTWTtb0xfb7BpIyC1Lia31F5gCN_btvkad7aR2JF5ySRLZmTtY” over TCP port 443. This C2\r\nURL contained shellcode that would make an HTTPS request for an additional download.\r\nTo achieve privilege escalation within the environment, FIN6 utilized a named pipe impersonation technique\r\nincluded within the Metasploit framework that allows for SYSTEM-level privilege escalation.\r\nInternal Reconnaissance and Lateral Movement\r\nFIN6 conducted internal reconnaissance with a Windows batch file leveraging Adfind to query Active Directory,\r\nthen 7-zip to compress the results for exfiltration:\r\nadfind.exe -f (objectcategory=person) \u003e ad_users.txt\r\nadfind.exe -f objectcategory=computer \u003e ad_computers.txt\r\nadfind.exe -f (objectcategory=organizationalUnit) \u003e ad_ous.txt\r\nadfind.exe -subnets -f (objectCategory=subnet) \u003e ad_subnets.txt\r\nadfind.exe -f \"(objectcategory=group)\" \u003e ad_group.txt\r\nadfind.exe -gcb -sc trustdmp \u003e ad_trustdmp.txt\r\n7.exe a -mx3 ad.7z ad_*\r\nThe outputs of the batch file included Active Directory users, computers, organizational units, subnets, groups,\r\nand trusts. With these outputs, FIN6 was able to identify user accounts that could access additional hosts in the\r\ndomain. For lateral movement, FIN6 used another set of compromised credentials with membership to additional\r\ngroups in the domain to RDP to other hosts.\r\nMaintain Presence\r\nWithin two hours of the initial detection, the systems were contained using FireEye Endpoint Security. Through\r\ncontainment, attacker access to the systems was denied while valuable forensic evidence remained intact for\r\nremote analysis. Due to Managed Defense’s Rapid Response and containment, FIN6 was unable to maintain\r\npresence or achieve their objective.\r\nThrough separate Mandiant Incident Response investigations, FireEye has observed FIN6 conducting intrusions to\r\ndeploy either Ryuk or LockerGoga ransomware. The investigations observed FIN6 using similar tools, tactics, and\r\nprocedures that were observed by FireEye Managed Defense during the earlier phases of the attack lifecycle.\r\nMandiant observed additional indicators from the later attack lifecycle phases.\r\nLateral Movement\r\nFIN6 used encoded PowerShell commands to install Cobalt Strike on compromised systems. The attacker made\r\nuse of Cobalt Strike’s “psexec” lateral movement command to create a Windows service named with a random 16-\r\ncharacter string on the target system and execute encoded PowerShell. In some cases, the encoded PowerShell\r\ncommands were used to download and execute content hosted on the paste site hxxps://pastebin[.]com.\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\r\nPage 3 of 7\n\nComplete Mission\r\nFIN6 also moved laterally to servers in the environment using RDP and configured them as malware\r\n“distribution” servers. The distribution servers were used to stage the LockerGoga ransomware, additional\r\nutilities, and deployment scripts to automate installation of the ransomware. Mandiant identified a utility script\r\nnamed kill.bat that was run on systems in the environment. This script contained a series of anti-forensics and\r\nother commands intended to disable antivirus and destabilize the operating system. FIN6 automated the\r\ndeployment of kill.bat and the LockerGoga ransomware using batch script files. FIN6 created a number of BAT\r\nfiles on the malware distribution servers with the naming convention xaa.bat, xab.bat, xac.bat, etc. These BAT\r\nfiles contained psexec commands to connect to remote systems and deploy kill.bat along with LockerGoga. FIN6\r\nrenamed the psexec service name to “mstdc” in order to masquerade as the legitimate Windows executable\r\n“msdtc.” Example strings from the deployment BAT files are shown in Figure 2. To ensure a high success rate, the\r\nattacker used compromised domain administrator credentials. Domain administrators have complete control over\r\nWindows systems in an Active Directory environment.\r\nstart copy svchost.exe \\\\10.1.1.1\\c$\\windows\\temp\\start psexec.exe \\\\10.1.1.1 -u domain\\domainadmin -p \"passwor\r\nFigure 2: Strings from deployment BAT files\r\nRansomware\r\nRyuk is a ransomware that uses a combination of public and symmetric-key cryptography to encrypt files on the\r\nhost computer. LockerGoga is ransomware that uses 1024-bit RSA and 128-bit AES encryption to encrypt files\r\nand leaves ransom notes in the root directory and shared desktop directory. Additional information about Ryuk and\r\nLockerGoga is available on the FireEye Intelligence portal: 18-00015730 and 19-00002005\r\nAttribution\r\nFIN6 has traditionally conducted intrusions targeting payment card data from Point-of-Sale (POS) or eCommerce\r\nsystems. This incident’s targeting of the engineering industry would be inconsistent with that objective. However,\r\nwe have recently identified multiple targeted Ryuk and LockerGoga ransomware incidents showing ties to FIN6,\r\nthrough both Mandiant incident response investigations and FireEye Intelligence research into threats impacting\r\nother organizations. We have traced these intrusions back to July 2018, and they have reportedly cost victims tens\r\nof millions of dollars. As the frequency of these intrusions deploying ransomware have increased, the cadence of\r\nactivity traditionally attributed to FIN6—intrusions targeting point-of-sale (POS) environments, deploying\r\nTRINITY malware and sharing other key characteristics—has declined. Given that, FIN6 may have evolved as a\r\nwhole to focus on these extortive intrusions. However, based on tactical differences between these ransomware\r\nincidents and historical FIN6 activity, it is also possible that some FIN6 operators have been carrying out\r\nransomware deployment intrusions independently of the group’s payment card breaches. Which of those scenarios\r\nis happening would influence how pressing a threat the group’s card data breach tactics continue to be. Criminal\r\noperations and relationships are highly adaptable, so we commonly encounter such attribution challenges in\r\nregards to criminal activity. Given that these intrusions have been sustained for almost a year, we expect that\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\r\nPage 4 of 7\n\ncontinued research into further intrusion attempts may enable us to more fully answer these questions regarding\r\nFIN6’s current status.\r\nIndicators\r\nType Indicator\r\nNetwork\r\n31.220.45[.]151\r\n46.166.173[.]109\r\n62.210.136[.]65\r\n89.105.194[.]236\r\n93.115.26[.]171\r\n103.73.65[.]116\r\n176.126.85[.]207\r\n185.202.174[.]31\r\n185.202.174[.]41\r\n185.202.174[.]44\r\n185.202.174[.]80\r\n185.202.174[.]84\r\n185.202.174[.]91\r\n185.222.211[.]98\r\nhxxps://176.126.85[.]207:443/7sJh\r\nhxxps://176.126.85[.]207/ca\r\nhxxps://176.126.85[.]207:443/ilX9zObq6LleAF8BBdsdHwRjapd8_1Tl4Y-9Rc6hMbPXHPgVTWTtb0xfb7BpIyC1Lia31F5gCN_btvkad7aR2JF5ySRLZmTtY\r\nhxxps://pastebin[.]com/raw/0v6RiYEY\r\nhxxps://pastebin[.]com/raw/YAm4QnE7\r\nhxxps://pastebin[.]com/raw/p5U9siCD\r\nhxxps://pastebin[.]com/raw/BKVLHWa0\r\nhxxps://pastebin[.]com/raw/HPpvY00Q\r\nhxxps://pastebin[.]com/raw/L4LQQfXE\r\nhxxps://pastebin[.]com/raw/YAm4QnE7\r\nhxxps://pastebin[.]com/raw/p5U9siCD\r\nhxxps://pastebin[.]com/raw/tDAbbY52\r\nhxxps://pastebin[.]com/raw/u9yYjTr7\r\nhxxps://pastebin[.]com/raw/wrehJuGp\r\nhxxps://pastebin[.]com/raw/tDAbbY52\r\nhxxps://pastebin[.]com/raw/wrehJuGp\r\nhxxps://pastebin[.]com/raw/Bber9jae\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\r\nPage 5 of 7\n\nHost\r\n031dd207c8276bcc5b41825f0a3e31b0\r\n0f9931210bde86753d0f4a9abc5611fd\r\n12597de0e709e44442418e89721b9140\r\n32ea267296c8694c0b5f5baeacf34b0e\r\n395d52f738eb75852fe501df13231c8d\r\n39b7c130f1a02665fd72d65f4f9cb634\r\n3c5575ce80e0847360cd2306c64b51a0\r\n46d781620afc536afa25381504059612\r\n4ec86a35f6982e6545b771376a6f65bb\r\n73e7ddd6b49cdaa982ea8cb578f3af15\r\n8452d52034d3b2cb612dbc59ed609163\r\n8c099a15a19b6e5b29a3794abf8a5878\r\n9d3fdb1e370c0ee6315b4625ecf2ac55\r\nd2f9335a305440d91702c803b6d046b6\r\n34187a34d0a3c5d63016c26346371b54\r\nad_users.txt\r\nad_trustdmp.txt\r\nad_subnets.txt\r\nad_ous.txt\r\nad_group.txt\r\nad_computers.txt\r\n7.exe\r\nKill.bat\r\nSvchost.exe\r\nMstdc.exe\r\nDetecting the Techniques\r\nThe following table contains several specific detection names, including methodology detections for several tools\r\nand techniques that applied to the initial infection activity as well as additional detection names for the\r\nransomware used by FIN6.\r\nPlatform Signature Name\r\nEndpoint Security\r\nMETASPLOIT A (METHODOLOGY)\r\nSUSPICIOUS POWERSHELL USAGE (METHODOLOGY)\r\nBEACON A (FAMILY)\r\nSYSNATIVE ALIAS RUNDLL32.EXE (METHODOLOGY)\r\nNetwork Security and Email Security FE_Ransomware_Win64_Ryuk_1\r\nFE_Ransomware_Win_LOCKERGOGA_1\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\r\nPage 6 of 7\n\nFE_Ransomware_Win_LOCKERGOGA_2\r\nFE_Ransomware_Win32_LOCKERGOGA_1\r\nFE_Ransomware_Win32_LOCKERGOGA_2\r\nFE_Ransomware_Win64_LOCKERGOGA_1\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "ETDA", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" ], "report_names": [ "pick-six-intercepting-a-fin6-intrusion.html" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434755, "ts_updated_at": 1775792033, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/81eddb4a3bd696ddb94a63aa5f75699f2e8b8b75.pdf", "text": "https://archive.orkl.eu/81eddb4a3bd696ddb94a63aa5f75699f2e8b8b75.txt", "img": "https://archive.orkl.eu/81eddb4a3bd696ddb94a63aa5f75699f2e8b8b75.jpg" } }