While healthcare providers were struggling to cope with providing care to COVID-19 patients during the pandemic, they have been under attack from ransomware gangs. One group which has been particularly active and has been targeting the healthcare industry is FIN12.
Approximately 20% of the attacks conducted by FIN12 since September 2020 have been on the healthcare industry, with other targeted sectors including education, manufacturing, technology, and the financial services. 83% of the attacks conducted by the gang have been on the private sector and 83% of the attacks have been on entities in North America, with 71% of the attacks on targets in the United States.
Cybersecurity firm Mandiant has been tracking the activities of the group, having been involved in many investigations and remediations of FIN12 attacks. Around 20% of all ransomware attacks Mandiant has assisted have involved FIN12. The intelligence gathered during those investigations on the tactics, techniques and procedures of FIN12 have recently been published in a comprehensive report.
Mandiant says FIN12 is somewhat unique among ransomware operations as the gang does not tend to engage in multi-faceted extortion and has disproportionately attacked the healthcare sector. The gang almost exclusively targets large organizations, with the majority of attacks so far conducted on organizations with revenues in excess of $300 million.
FIN12 is an intrusion specialist and is not involved with ransomware development or breaching targets defenses. FIN12 relies on other threat actors to provide the initial access, with the group specializing in ransomware deployment. Since the gang started conducting ransomware attacks until March 2020, the gang was exclusively using the TrickBot Trojan to gain access to victims’ networks. Attacks then stopped for a period of around 4 months before they recommenced using a variety of initial access providers, which has included initial access brokers who specialize in attacks targeting vulnerabilities in Citrix environments. Mandiant says the gang maintains close connections with the threat actors behind TrickBot and BazarLoader and continues to conduct attacks using the access provided by those malware variants and extensively uses Cobalt Strike beacon.
The attacks conducted by FIN12 are rapid compared to many other ransomware operations. Mandiant says FIN12 has been speeding up attacks, with the time spent in victim networks falling since the start of 2020. Now, each attack takes less than 3 days from initial access to ransomware deployment with most attacks seeing activity starting the same day as access is gained. The average time spent in networks by other ransomware operations is 12.4 days, with a median of 5 days.
Mandiant believes the gang consists of Russian-speaking hackers who are suspected of operating out of the Commonwealth of Independent States (CIS) region. FIN12 mostly uses Ryuk ransomware in its attacks, although has also been known to use Conti ransomware. There have been cases where the gang has exfiltrated data and engaged in double-extortion tactics, although this does not appear to be the norm. That could well change, warns Mandiant, especially if the gang starts working with other ransomware operations.
“While threat actors running ransomware-as-a-service (RaaS) outfits have an important role in multifaceted extortion attacks, the focus on the branding and communication components of these services can detract from other important players,” explained Mandiant. “Intrusion actors, such as FIN12, may arguably play a more pivotal role in these operations, yet have received marginal attention.”