FIN8 deploys ALPHV ransomware using Sardonic malware variant (July 20, 2023)

Ref# AL2023_59 | Date: Jul 20th 2023


A financially motivated cybercriminal group known as FIN8 (aka Syssphinx) has recently been observed using a new variant of the Sardonic malware to deploy BlackCat ransomware payloads on compromised networks.

Operating since at least January 2016, FIN8 specifically targets industries such as retail, restaurants, hospitality, healthcare, and entertainment. Their attack campaigns have been characterized by their sporadic nature, but they have a significant impact, leaving a trail of hundreds of victims in various organizations. FireEye, a cybersecurity company, first identified and classified FIN8 as a threat group. Despite their intermittent activity, FIN8″s operations have been linked to numerous large-scale campaigns, demonstrating their persistence and effectiveness in compromising networks and carrying out cyberattacks.


The threat actor behind these attacks employs a wide range of tools and techniques to carry out their malicious activities. They utilize various strains of Point-of-Sale (POS) malware, including BadHatch, PoSlurp/PunchTrack, and PowerSniff/PunchBuggy/ShellTea. Additionally, they exploit Windows zero-day vulnerabilities and conduct spear-phishing campaigns.

Recently, the threat actor has transitioned from using BadHatch to a C++ based backdoor called Sardonic. Bitdefender researchers discovered this backdoor in 2021 and found that it can gather information, execute commands, and deploy additional malicious modules as DLL plugins. In December 2022, Symantec”s Threat Hunter Team observed a revamped version of the Sardonic backdoor in recent attacks. This variant shares similarities with the version discovered by Bitdefender, although significant portions of the code have been rewritten. The backdoor now has a different appearance and no longer relies on the C++ standard library or object-oriented features, opting for a plain C implementation instead. It appears that the threat actors made these changes to avoid detection and conceal similarities with previously disclosed details. However, they still employ known techniques associated with the Syssphinx group in other aspects of their attacks.

While FIN8 initially focused on stealing payment card data from POS systems, they have expanded their operations to include ransomware attacks to increase their profits. In June 2021, FIN8 was observed deploying Ragnar Locker ransomware on the compromised systems of financial service companies in the United States. This marked the first known instance of the group engaging in ransomware attacks. Six months later, in January 2022, FIN8 was linked to another ransomware variant called White Rabbit. Researchers discovered connections between the infrastructure used in the White Rabbit attacks and the well-known infrastructure of FIN8. Furthermore, the Sardonic backdoor, previously associated with FIN8, was also utilized during the White Rabbit ransomware attacks, further solidifying the connection to the group.

In a more recent development, Symantec has observed FIN8 deploying BlackCat (also known as ALPHV) ransomware in the December 2022 attacks, using the new variant of the Sardonic malware. According to Symantec, FIN8 continuously evolves and enhances its capabilities and malware delivery infrastructure. The group periodically refines its tools and tactics to evade detection and improve its effectiveness. The expansion of FIN8 from point-of-sale attacks to ransomware deployment highlights their commitment to maximizing profits from targeted organizations. This demonstrates the adaptability and persistence of the threat actors in their pursuit of financial gains.


  1. Keep computer systems updated with the latest security patches.
  1. It is imperative to not open emails and attachments from unknown senders as this is a common method of cyber-attacks.
  1. Install a reputable malware software from a trusted source such as Avast antivirus and run scheduled scans on all devices to keep them malware free.
  1. Having an incident response plan, specifically for zero-day attacks, is crucial for organizations of all sizes. It provides a structured approach to identify and respond to cyberattacks, reducing confusion and minimizing damage. With a specific plan in place, organizations can swiftly detect, contain, and mitigate the impact of zero-day attacks, improving their overall security posture. Regular testing and updates are essential to ensure the plan remains effective against evolving threats.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: FIN8 Deploys ALPHV ransomware using Sardonic Malware Variant.pdf