FIN11

FIN11 is a long-running financially motivated cybercrime threat group associated with ransomware deployment, data theft, and extortion. Reporting in the provided content links FIN11 closely with the CL0P/Clop ransomware and extortion brand, and multiple sources describe it as believed to be part of the broader TA505 umbrella. The content also notes reporting that has connected the group to both Russia and Ukraine, but does not establish a definitive nation-state attribution. Across the provided sources, FIN11 is described as having monetized operations through point-of-sale malware, CL0P ransomware, and traditional extortion. It has conducted long-running ransomware distribution campaigns across multiple industries and has been linked to mass exploitation and extortion activity involving managed file transfer and enterprise application products. The content ties FIN11 to exploitation or suspected exploitation of zero-days and mass victimization campaigns involving Accellion FTA, MOVEit Transfer, Cleo managed file transfer products, and Oracle E-Business Suite. Mandiant merged UNC4857 into FIN11 following the 2023 MOVEit exploitation based on overlaps in targeting, infrastructure, certificates, and data leak site activity. GTIG and Mandiant also describe a suspected FIN11 cluster tied to Oracle E-Business Suite exploitation in 2025, associated with the CL0P leak site and the GOLDVEIN.JAVA downloader. The group is repeatedly associated with CL0P ransomware deployment and extortion operations, including use of the CL0P data leak site. The content also describes FIN11-linked activity clusters and notes that attribution can be complex, with some campaigns only linked to an unknown or suspected FIN11 cluster rather than conclusively attributed. In late 2025, GTIG reported a high-volume extortion campaign claiming CL0P affiliation that showed strong links to FIN11, including the use of hundreds of compromised email accounts and at least one account directly tied to prior FIN11 activity. Tactics and tradecraft directly mentioned in the content include ransomware deployment, data theft prior to extortion, use of compromised email accounts for mass extortion, exploitation of internet-facing enterprise applications and file transfer products, use of web shells in mass exploitation campaigns, and use of malware such as GOLDVEIN.JAVA. Mandiant also attributed a CL0P-associated process kill list to FIN11 and reported that the group used kill lists containing some OT-related processes. Mandiant assessed FIN11 has shown no indication of specialized OT expertise, but its tradecraft overlaps with techniques seen in early-stage OT-targeted attack lifecycles, including use of publicly available tools, living-off-the-land techniques, known exploitation frameworks, and tailored malware. Aliases and related names directly reflected in the content include CL0P/Clop, TA505, UNC4857, and Microsoft’s Lace Tempest / DEV-0950 mapping for FIN11. The content also refers to multiple FIN11 activity clusters or suspected FIN11 clusters rather than naming distinct formal sub-groups.