Description
Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) "pig butchering,"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin)
Adversaries may Compromise Accounts to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize Impersonation of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)
Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after Data Encrypted for Impact (Citation: NYT-Colonial) and Exfiltration of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.(Citation: Mandiant-leaks) Adversaries may use dedicated leak sites to distribute victim data.(Citation: Crowdstrike-leaks)
Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as Data Destruction and business disruption.(Citation: AP-NotPetya)
Platforms
Mitigations (2)
User TrainingM1017
Train and encourage users to identify social engineering techniques used to enable financial theft. Also consider training users on procedures to prevent and respond to swatting and doxing, acts increasingly deployed by financially motivated groups to further coerce victims into satisfying ransom/extortion demands.(Citation: Cyber Safety Review Board: Lapsus)(Citation: SWAT-hospital)
User Account ManagementM1018
Limit access/authority to execute sensitive transactions, and switch to systems and procedures designed to authenticate/approve payments and purchase requests outside of insecure communication lines such as email.
Threat Groups (15)
| ID | Group | Context |
|---|---|---|
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has stolen and encrypted victim's data in order to extort payment for keeping it private or decryp... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has conducted data exfiltration and posted stolen information on data leak sites for the purpo... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has stolen cryptocurrency wallet credentials and credit card information utilizing [Beav... |
| G1021 | Cinnamon Tempest | [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) has maintained leak sites for exfiltrated data in attempt to extort victims into paying a ra... |
| G1026 | Malteiro | [Malteiro](https://attack.mitre.org/groups/G1026) targets organizations in a wide variety of sectors via the use of [Mispadu](https://attack.mitre.org... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has stolen and laundered cryptocurrency to self-fund operations including the acquisition of infrastr... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has observed the victim's software and infrastructure over several months to understand the technical p... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has engaged in double-extortion ransomware, exfiltrating data and directly contacting victims when... |
| G1049 | AppleJeus | [AppleJeus](https://attack.mitre.org/groups/G1049) has targeted the cryptocurrency industry with the goal of stealing digital assets.(Citation: Mandia... |
| G1024 | Akira | [Akira](https://attack.mitre.org/groups/G1024) engages in double-extortion ransomware, exfiltrating files then encrypting them, in order to prompt vic... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has deployed ransomware on compromised hosts and threatened to leak stolen data for financia... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has stolen and encrypted victims' data in order to extort victims into paying a ransom.(Citation... |
| G1050 | Water Galura | [Water Galura](https://attack.mitre.org/groups/G1050) has extorted victims for ransomware decryption keys and to prevent publication of data exfiltra... |
| G0083 | SilverTerrier | [SilverTerrier](https://attack.mitre.org/groups/G0083) targets organizations in high technology, higher education, and manufacturing for business emai... |
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) demands ransom payments from victims to unencrypt filesystems and to not publish sensitive data exfiltra... |
Associated Software (7)
| ID | Name | Type | Context |
|---|---|---|---|
| S1247 | Embargo | Malware | [Embargo](https://attack.mitre.org/software/S1247) has been leveraged in double-extortion ransomware, exfiltrating files then encrypting them, to prom... |
| S1245 | InvisibleFerret | Malware | [InvisibleFerret](https://attack.mitre.org/software/S1245) has searched the victim device credentials and files commonly associated with cryptocurrenc... |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) has collected data from cryptocurrency wallets and harvested credit cards details from brow... |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has the ability to steal credentials for cryptocurrency wallets.(Citation: Koi Glassworm New Tric... |
| S9004 | Crocodilus | Malware | [Crocodilus](https://attack.mitre.org/software/S9004) has stolen cryptocurrency wallet details from victim devices.(Citation: ThreatFabric_Crocodilus_... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) can deploy payloads capable of capturing credentials related to cryptocurrency wallets.(Citation: ... |
| S1246 | BeaverTail | Malware | [BeaverTail](https://attack.mitre.org/software/S1246) has searched the victim device for browser extensions commonly associated with cryptocurrency wa... |
References
- CloudFlare. (n.d.). What is vendor email compromise (VEC)?. Retrieved September 12, 2023.
- Crowdstrike. (2020, September 24). Double Trouble: Ransomware with Data Leak Extortion, Part 1. Retrieved December 6, 2023.
- DANIEL KAPELLMANN ZAFRA, COREY HIDELBRANDT, NATHAN BRUBAKER, KEITH LUNDEN. (2022, January 31). 1 in 7 OT Ransomware Extortion Attacks Leak Critical Operational Technology Information. Retrieved August 18, 2023.
- Department of Justice. (2021). 3 North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyber-attacks and Financial Crimes Across the Globe. Retrieved August 18, 2023.
- FBI. (2022). FBI 2022 Congressional Report on BEC and Real Estate Wire Fraud. Retrieved August 18, 2023.
- FBI. (n.d.). Ransomware. Retrieved August 18, 2023.
- FRANK BAJAK AND RAPHAEL SATTER. (2017, June 30). Companies still hobbled from fearsome cyberattack. Retrieved August 18, 2023.
- IC3. (2022). 2022 Internet Crime Report. Retrieved August 18, 2023.
- Joe Tidy. (2022, March 30). Ronin Network: What a $600m hack says about the state of crypto. Retrieved August 18, 2023.
- Lily Hay Newman. (n.d.). ‘Pig Butchering’ Scams Are Now a $3 Billion Threat. Retrieved August 18, 2023.
Frequently Asked Questions
What is T1657 (Financial Theft)?
T1657 is a MITRE ATT&CK technique named 'Financial Theft'. It belongs to the Impact tactic(s). Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of t...
How can T1657 be detected?
Detection of T1657 (Financial Theft) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1657?
There are 2 documented mitigations for T1657. Key mitigations include: User Training, User Account Management.
Which threat groups use T1657?
Known threat groups using T1657 include: INC Ransom, VOID MANTICORE, Contagious Interview, Cinnamon Tempest, Malteiro, Kimsuky, FIN13, Storm-0501.