Hackers create fake company and hire ‘employees’ for ransomware campaign

The FIN7 cybercrime group created a fake company and hired legitimate programmers as part of its expansion into ransomware. The recruits were unwittingly employed in real life cyberattacks under the guise of red team simulations.

The cybergang fashioned a website for sham cybersecurity company Bastion Secure, using authentic details and content from the websites of other real-world security companies. As part of the disguise, even the name of the fake entity was selected to sound as similar as possible to genuine companies operating in the security space.

Researchers from Gemini Advisory uncovered the truth with the help of a source approached by the gang for potential hire. As part of the hiring process, the source received programming tools along with test assignments. After analysis, the tools were determined to be components of the post-exploitation toolkits Carbanak and Lizar/Tirion, both previously attributed to the FIN7 group. The toolkits have applications in ransomware and in point-of-sale (POS) attacks.

History of crime

FIN7 is best known for targeting food, hospitality, and retail companies. Since 2015, the group has stolen the data of at least 20 million bank cards in the United States alone, going on to sell them on dark web forums and online data marketplaces.

But with ransomware becoming the online criminal’s money-maker of choice, the gang recently changed its policy. 

FIN7 cybercrime group

Professional pen-testers were hired to employ their capabilities as system administrators — for mapping compromised systems — to perform network assessments, and to locate backup files and assets used in subsequent malware deployment. Workers could have been completely unaware that they were involved in illegal operations.

This approach was likely an economic decision: additional criminal collaborators would expect far greater compensation, commensurate with the illegal nature of the enterprise. Unwitting ‘employees,’ on the other hand, would only expect a regular salary.

Despite an elaborate concept, researchers believe that the fake company and payroll were a budgetary decision aimed at keeping costs down and the shares of proceeds for the criminals high.


The latest trend in cybercrime, ransomware, has shot into prominence over the past two years. In large part, groups like FIN7 are turning to ransomware because it represents such a clear path to the monetisation of their efforts. 

In a successful ransomware operation, criminals gain access to an organisation’s critical data — usually exfiltrating copies — before the original information is encrypted. The criminals then demand payment before the encryption keys needed to recover the company’s data will be provided. 

“I think that the reason [ransomware] is proliferating — we’ve seen twice as many attacks this year as last year in the UK — is because it works,” explains Jeremy Fleming, director of the UK’s national intelligence and security organisation, GCHQ. 

Simply put, ransomware pays. Criminals are making good money and likely feel that ransomware is largely uncontested, Fleming adds.

A more fraudulent world

The upswing in cybercrime, such as ransomware, follows a broader trend of rising levels of fraud and financial crime. Fraud losses in the UK increased by 30% this year, according to legal services group Rosenblatt

More and more elaborate, even protracted banking scams are being uncovered too. Sometimes criminals establish long-lasting relationships with victims, posing as bank staff in emails and phone calls to acquire the necessary trust over many months. This allows criminals to convince victims to make bank transfers to their accounts. Ironically, often a bogus threat on the person’s bank account is used as a premise for needing to relocate money. 

Along with improvements in detection and prevention, some people are calling for greater levels of institutional support for victims.

“The regulator must introduce mandatory and more robust reimbursement requirements for all payment providers, to ensure that customers are treated fairly and consistently when they fall victim to bank transfer scams,” according to Jenny Ross, money editor of Which?.

Mark Swift is a Scottish freelance journalist and writer based in Paris. His work covers business, technology, European politics, and EU policy. Before writing for 4i-mag, he was a journalist for Young Company Finance Scotland, covering investment in Scottish technology start-ups. Mark's portfolio can be found here: