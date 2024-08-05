Events in the last few years suggest that FIN7 is now in partnership with AvNeutralizer. SentinelOne discovered that FIN7 has been connected to “the use of EDR evasion tools [AvNeutralizer] in ransomware attacks involving the Black Basta group.” By using AvNeutralizer, also known as AuKill, hackers can tamper with security solutions and then launch their own attacks. Originally, experts only saw Black Basta using the tool and assumed it was a partnership between the two groups.

“Since early 2023, our telemetry data reveals numerous intrusions involving various versions of AvNeutralizer,” wrote SentinelOne. “About 10 of these are attributed to human-operated ransomware intrusions that deployed well-known RaaS payloads including AvosLocker, MedusaLocker, BlackCat, Trigona and LockBit.”

The tool has now been linked to five different groups, which now makes it likely that Black Basta was simply an early adopter.

Reports indicate that FIN7 is selling AvNeutralizer on Russian-speaking hacking forums ranging in price from USD 4,000 to USD 15,000. The post advertised that the tool took three years and USD 1 million to develop. Additionally, the tool acts as a post-exploration framework that infiltrates enterprise networks and is not detectable by traditional antivirus software.