FIN11 has been active since at least 2016 and its members are likely based in Russian-speaking countries. FIN11’s toolset and techniques overlap with those of other cybercrime groups because it regularly uses malware programs and other services sold on underground markets. The way the group delivers its malware droppers via emails has rapidly evolved over the past two years with changes being made almost every month to better evade detection. In more recent months it doubled down on extortion by also stealing business data from victims and threatening to release it publicly if they don’t pay the ransoms.”]