The notorious cybercrime gang FIN7 has returned with a new malware campaign after a long period of inactivity, Microsoft’s threat intelligence team has warned.

The group, tracked by Microsoft as Sangria Tempest, was observed deploying the Clop ransomware in April 2023 - the gang’s first ransomware campaign since late 2021.

In the observed attacks FIN7/Sangria Tempest used a PowerShell script called Powertrash to load the Lizar post-exploitation tool and get a foothold into a target network. The group then used OpenSSH and Impacket to move laterally and deploy Clop ransomware.

“Clop is the latest ransomware strain that Sangria Tempest has been observed deploying over the years. The group previously deployed REvil and Maze before managing the now-retired DarkSide and BlackMatter ransomware operations,” Microsoft said.

FIN7 is one of the most sophisticated and aggressive cybercrime operations involving dozens of talented hackers located overseas. FIN7 uses an arsenal of constantly evolving malware tools and hacking techniques, and controls infected computers through a complex web of servers located throughout the world.

Since at least 2015, FIN7 has targeted more than 100 US companies, predominantly in the restaurant, gaming, and hospitality industries. The group hacked into thousands of computer systems and stole millions of customer credit and debit card numbers as well as proprietary and non-public information, which the group used or sold for profit. In 2018, the US authorities indicted three Ukrainian nationals - Dmytro Fedorov, Fedir Hladyr, and Andrii Kopakov - for their alleged involvement in FIN7 operations.

Last year, cybersecurity firm SentinelOne uncovered evidence indicating that a developer for FIN7 was also the creator of the EDR (Endpoint Detection and Response) evasion tools used exclusively by the Black Basta ransomware gang since June 2022.