Although ransomware is a successful criminal operation, one would think that some targets may be left off the list for moral grounds.
This is not so with FIN12 , a ransomware gang that targets big game, with one in five of its victims being in the healthcare industry.
The use of ransomware is a common and widespread cybercrime tactic, and its potentially damaging effects outweigh those of other criminal behavior including outright data theft, cryptojacking, and insider threats.
Ransomware has been used to cause havoc in high-profile cases this year alone, including the worldwide Microsoft Exchange Server hacking spree, the Colonial Pipeline attack that resulted in fuel shortages in the US, and the interruption of supply chains as a result of systems belonging to the global meatpacker JBS USA being compromised.
You may anticipate that this industry, along with burial services, charities, and crucial services, might be segmented off by ransomware organizations. However, research done by KELA in August on the initial access broker (IAB) space discovered that healthcare-related ads offering access were few and far between.
The loss of Ireland’s Health Service Executive (HSE) to ransomware, a security breach that prevented vital healthcare services for weeks, is another instance this year that demonstrates that this is not always the case.
Access to important medical records, appointment information, treatment notes, and patient data may be restricted as a result of a ransomware epidemic, which may cause delays and, in the worst cases, death. The Ponemon Institute and Censinet conducted the according to research study.
Mandiant stated on Thursday that FIN12, which the cybersecurity company elevated from UNC1878 to FIN12, is a financially motivated group that targets companies with an average yearly revenue of over $6 billion. The majority of the threat group’s victims bring in at least $300 million annually.
The researchers note that while “this number could be artificially increased by a few extreme outliers and collecting bias,” FIN12 normally seems to target larger firms than the typical ransomware affiliate, they add.
Joshua Shilko, Principal Analyst at Mandiant, stated in a statement to ZDNet that the operation has earned a spot in the “top tier of large game hunters,” or the operations that concentrate on the targets most likely to give the greatest potential cash benefits in exchange for ransom payments.
By all accounts, the ransomware actor FIN12 has been the most active and has been concentrating on high-value targets, according to Shilko. “The FIN12 victims’ average yearly income was in the multiple billions. Additionally, FIN12 is the ransomware deployment actor that we have seen the most.
Active at least since 2018, FIN12 initially targeted victims in North America but has recently widened its victim base to include victims in Europe and the Asia Pacific area. According to Mandiant, since September of last year, close to 20% of the instances the company’s response team has worked on have involved FIN12 incursions.
Mandiant Threat actors frequently pay for first access to a target system to avoid having to search for functional credentials, VPN access, or a software flaw that can be easily exploited. Mandiant has “high confidence” that the gang needs initial access from outside sources.
Senior Analyst at Mandiant, Zach Riddle, said to us:
“Actors who grant ransomware operators initial access often earn payment in the form of a portion of the ransom after a victim has paid, though actors may alternatively buy access to victims’ networks for a predetermined fee.
We have seen evidence that FIN12 has paid up to 30-35% of a ransom payment to a suspected initial access supplier, while the exact percentage paid for initial access can probably vary depending on a number of circumstances.
With 20% of their victims coming from the healthcare industry, the cybercriminals also lack any sense of morality. As a result of the fact that many ransomware-as-a-service (RaaS) providers do not let hospitals to be targeted, Mandiant claims that FIN12 may save money by purchasing first access due to limited demand elsewhere.
This might not, however, account for FIN12’s desire to target the healthcare industry.
We don’t think that FIN12’s readiness to target this business is directly related to other companies’ refusals to target the healthcare sector, said Riddle. “FIN12 may believe that hospitals are more ready to pay ransoms fast to restore key systems than to spend weeks negotiating with actors and/or fixing the problem. In the end, the importance of the services they offer not only increases the likelihood that the victim would pay FIN12, but also expedites the payment process.
to Trickbot , a botnet operation that provides fraudsters with modular choices including means of exploitation and persistence, and FIN12 are closely related. Despite possessing not so with FIN12 0 infrastructure, threat actors have recently launched efforts in North America against insurance and legal firms.
The group’s major objective is to use not so with FIN12 1. Ryuk is a deadly and widespread form of malware that has new worm-like powers to spread and infect additional computers in addition to the standard ransomware functionality of encrypting systems and allowing operators to demand payment in exchange for a decryption key.
Given that all currently recognized Ryuk ransomware operators speak Russian, Mandiant believes that FIN12 is of Russian descent. Additionally, Russian-language files and components are present in Grimagent, another piece of malware employed by FIN12 that has not yet been linked to any other threat actors.
The average time to ransom for FIN12 is little under four days, and it is getting faster every year. In certain instances, a ransomware campaign was successfully run in just two and a half days.
While it’s possible that they’ll try out other backdoors or even fund the creation of private tools in the future, Shilko said that they appear to have developed a routine for masking their beacon activity with malleable C2 profiles and obscuring their common payloads with a variety of in-memory loaders. “Notably, actors sometimes occasionally make adjustments based on public reporting, so it would not be unusual if the organization changed as a result of our findings; nevertheless, we anticipate that these modifications would mostly focus on limiting detection rather than rethinking their overall playbook.”