July 18, 2024 at 09:50AM
Russian cybercrime syndicate FIN7 has been selling its AvNeutralizer malware to various ransomware gangs. The custom security solution-disabling tool is marketed under different pseudonyms and is effective at evading numerous endpoint security products. Researchers have identified the use of the tool by different ransomware campaigns and highlighted the group’s continuous innovation and evolving tactics.
The meeting notes highlight the activities of the Russian cybercrime syndicate FIN7, particularly its development and marketing of the AvNeutralizer malware. The malware is being sold to various ransomware gangs, and prices for the tool range between $4,000 and $15,000. It appears that AvNeutralizer has been actively marketed since at least 2022, with increased engagement in early 2023.
The malware is designed to disable endpoint security products and has been used by different ransomware campaigns starting in 2023, including those using ransomware-as-a-service variants such as LockBit, ALPHV/BlackCat, Trigona, AvosLocker, and Medusa. There are indications that FIN7 is using multiple pseudonyms to sell this tool, making attribution of their activities more challenging.
The AvNeutralizer malware is continuously evolving, with the most recent version introducing a novel technique to create a denial-of-service condition in specific processes. This development showcases FIN7’s technical expertise and advanced operational strategies, making attribution and mitigation efforts crucial. The team at SentinelOne has gained a clearer understanding of AvNeutralizer and its use, which will allow for better tracking of malicious activity and informed retrospective analyses.