Menu
Browse

Cyber Threat Actor: Carbanak

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
19 incidents
Profile

The threat actor operates under numerous aliases including JokerStash, Fin7, Carbanak, Anunak, UNC1878, Razdel, and Navigator Group, with activities spanning financially motivated cybercrime. Their operations consistently target retail, healthcare, financial services, energy, transportation, and critical infrastructure across North America, Europe, and Asia-Pacific regions. Primary objectives center on financial gain through ransomware extortion, payment card theft, and data exfiltration for auction or extortion. Campaigns demonstrate a focus on high-impact sectors where operational disruption amplifies pressure to pay ransoms, such as healthcare during the COVID-19 pandemic and retail during peak business periods.

Notable TTPs include deployment of Carbanak backdoors, Ryuk ransomware, Netwalker ransomware, and Black Basta ransomware, often paired with data exfiltration for double extortion. Initial access frequently involves spear-phishing campaigns impersonating trusted partners, exploitation of vulnerabilities like Citrix CVE-2019-19781, and compromised credentials from exposed RDP servers or weak authentication. The group leverages memory-resident malware such as BOOSTWRITE to evade detection and hijacks legitimate remote administration tools for command injection. Publicly reported operations include the 2022 Black Basta ransomware attack against Canadian grocery/pharmacy conglomerate Empire Company, the 2020 Ryuk campaign disrupting U.S. hospitals including Wyckoff Heights Medical Center, and the 2019 compromise of an ATM manufacturer using Carbanak to facilitate fraudulent transactions. Law enforcement sources and cybersecurity researchers have linked subgroups to the Conti cybercrime syndicate and FIN7’s historical operations, though explicit hierarchical relationships remain unconfirmed. The actor’s infrastructure reuse, cryptocurrency payment demands, and ransomware-as-a-service partnerships reflect organized criminal collaboration rather than state-aligned activity.

Incidents
Attributed incidents available to members
19 incidents
Sources
Sources available to members
236 sources