Cyber Crime Group Moves from Credit Card Skimming to Ransomware

Russian Hackers Move From Skimmers to Ransomware by Exploiting Vulnerable RDP Ports

FIN6, a Russian cybercrime group that has historically focused on attacking point-of-sale (POS) devices to steal credit card data, is now expanding their portfolio into ransomware distribution. 

Over the last three years, the hacking group has targeted the hospitality and retail industries, successfully collecting millions of data sets from credit and debit cards.  It is estimated FIN6 has been paid approximately $400 million for the data they have exfiltrated from POS systems.  So, why make the leap to ransomware distribution?  It’s even more lucrative. 

Recently, FIN6 has been found targeting businesses with two different ransomware variants, LockerGoga and Ryuk.  Both of these ransomware variants are considered to be newer threats.  LockerGoga is the ransomware variant that infected the Norwegian aluminum company, Norsk Hydro, just last month. 

Ryuk, although not as new, has proven to evade most security solutions, making it appealing to many cyber criminals.  Ryuk does not infect via executable file; alternatively, it runs through PowerShell.  It is because of this fileless attack method, that Ryuk is able to bypass most security programs.  Ryuk has also been in the news lately for infecting Chicago-based Tribune Publishing, which in turn impacted newspaper distributions nationwide. 

It is believed since making to switch to ransomware distribution in 2018, FIN6 has been paid millions in ransom demands.  Now to the ground breaking question – how are they doing it?  The hacking group has been seen using stolen credentials to access the network through the endpoint’s Remote Desktop Protocol (RDP) ports.  Once they gain access to the network through the RDP port, the hackers abilities become unlimited.  Attackers can drop a backdoor to allow for additional malware to be installed, execute ransomware, disable the antivirus protection, steal intellectual property, and more.

Related Reading  The Ransomware Ripple Effect


In order to protect against RDP attacks, users can do two things. Disable the RDP port, if they are not using it. Or, if it must remain open for access, users should deploy a security solution that actively thwarts these types of attacks.

PC Matic Pro has made the following product enhancements to block these types of attacks:

  • RDP Manager within the portal. This enables the IT professional to monitor and manage all RDP ports within the network, and disable any that are not being utilized.
  • Early Launch Anti-Malware project, which is a joint effort between PC Matic and Microsoft.
  • Enabling Windows lockout thresholds by limiting the number of login attempts.
  • Restriction of the uninstallation process, which is a control put into place that will not allow the hacker to uninstall PC Matic Pro on the endpoint.

 3,520 total views,  1 views today

(Visited 1 times, 1 visits today)

4 thoughts on “Cyber Crime Group Moves from Credit Card Skimming to Ransomware

  1. I appreciate your messages but i pay you every year automaticly how am i supposed to know if my rfd port is closed

    • Without knowing the operating system you’re running, we would suggest searching online for the instructions on how to see if your RDP port is enabled. If additional assistance is needed, you may reach out to our support team at

  2. Great info as always. Problem is how do I access this RDP Port in win 7 and OS?
    I was beta testing PC Matic and forwarded a “Glitch”.
    I got a thank you, but no more contact as to when the next beta or full release will be available
    Any update ?

  3. There’s a similar hack that makes a partition on the SPI or PCH. Fileless, it installs Windows 10 Enterprise with AD & every part of the Enterprise package. It installs core networking, uses a V-Lan system to send your IP to servers in LA, NY, Ireland, GB, Norway, & a city 200 Mi. south of Moscow Russia. It makes a WiFi node using NDIS & UART drivers. It allows cell phones to connect via GPRS & this works on all flavors of Linux or Windows. I’ve lost 6 PC’s in a year & it keeps coming back, even on stuff I order online! I bought a laptop at the Tamaqua,PA Walmart & it had the infection. The Lansford, PA library has it on all of their PC’s & don’t know it. It makes a virtual floppy named X: & holds 9 strings of data in a null directory. Based off the NT 6.0 skeleton & uses the WOF/WOF2 to hide. Avira picks it up & Kaspersky TDDS but they remove so much of the registry the system becomes useless. Fighting this for 1 year & 4 months. Notified CERT, FBI, IC3 but no help yet.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.