Mandiant Intelligence has revealed details on the FIN12 group, with almost 20 percent of observed victims in the healthcare industry and several of these organizations operating healthcare facilities. Since initially emerging, FIN12 has maintained close partnerships with TRICKBOT affiliated cyber attackers. However, FIN12 has seemingly diversified its partnerships for initial access operations, particularly this year, while depending on publicly available tools and malware to enable their operations.
The aggressive, financially motivated attacker has carried out prolific ransomware attacks since at least October 2018 and specializes in the post-compromise deployment of primarily RYUK ransomware, and instead of conducting multifaceted extortion, it appears to prioritize speed and higher revenue victims.
In nearly every single FIN12 intrusion since last February, the FIN12 group has used Cobalt Strike BEACON payloads to interact with victim networks, progressing through their attacks from internal reconnaissance to ransomware deployment, Mandiant said. In the years prior, however, they had used a broader toolset, including the PowerShell-based EMPIRE framework, to serve the same functions and in their earliest intrusions even used the TRICKBOT banking trojan as a post-exploitation framework alongside EMPIRE.
Mandiant suspects that FIN12 is likely comprised of Russian-speaking attackers, who may be located in countries in the Commonwealth of Independent States (CIS). FIN12 has not targeted CIS-based organizations and identified partners, and all currently identified RYUK users have spoken Russian. Additionally, GRIMAGENT malware, which Mandiant has only observed in FIN12 incidents to date, contains Russian-language file resources including graphical components containing Russian text. FIN12 used the GRIMAGENT backdoor in multiple intrusions, with particular regularity last October.
While FIN12 appears to rely on close partnerships for obtaining initial access to organizations, they almost certainly have some input into victim selection. “We believe that FIN12’s partners cast a wider net and allow FIN12 actors to choose from a list of victims after accesses are already obtained,” Mandiant said.
The security firm also observed that the majority of observed FIN12 victims have been based in North America, but their regional targeting has been expanding this year throughout other regions, including Europe and Asia Pacific. “We have observed FIN12 victims in nearly every industry, but notably 20 percent of these organizations have been based in the healthcare sector,” it added.
Almost 85 percent of observed victim organizations have been based in North America and the vast majority of known FIN12 victims have more than US$300 million in revenue. While approximately 71 percent of victims have been based in the U.S., about 12 percent of victim organizations were located in Canada, Mandiant data observed about twice as many victim organizations based outside of North America in the first half of 2021 compared to that from 2019 to 2020. Collectively, these organizations have been based in Australia, Colombia, France, Indonesia, Ireland, the Philippines, South Korea, Spain, the United Arab Emirates, and the U.K.
Almost 20 percent of observed victims have been in the healthcare industry and several of these organizations operate healthcare facilities. The remaining victims have operated in a broad range of sectors, including but not limited to business services, education, financial, government, manufacturing, retail, and technology.
The FIN12 group continued targeting healthcare entities during the COVID-19 pandemic, unlike many other ransomware groups, as ransomware-as-a-service (RaaS) operators often prohibit affiliates from targeting hospitals. Given that many attackers refuse to target this industry, it may also be easier or cheaper to obtain access to healthcare organizations.
However, by targeting healthcare facilities, the FIN12 group may face increased scrutiny from law enforcement agencies, as well as potential partners that wish to limit public exposure, Mandiant pointed out. While many cyber attackers prohibit the targeting of hospitals, others likely target healthcare facilities because they believe that these organizations are more likely to pay ransom demands.
Mandiant also said that the FIN12 group has consistently relied on a small arsenal of tools, limited almost exclusively to malware in the TRICKBOT ecosystem and publicly available utilities or attack frameworks. Despite the overarching pattern, FIN12 has still intermittently used a variety of other malware and services possibly acquired from the criminal underground, it added.
FIN12’s reliance on other attackers to obtain initial access to organizations has allowed them to focus specifically on ransomware deployment, according to Mandiant. The FIN12 group has also seemingly made a deliberate choice to prioritize speed, as Mandiant has rarely observed these attackers engaging in data theft extortion. However, it is plausible that these hackers may evolve their operations to more frequently incorporate data theft in the future.
Mandiant is also seeing some evidence that the FIN12 group has started to work more closely with an increasingly diverse group of partners. While observed changes have thus far been limited to their use of initial access providers, if FIN12 closely aligns itself with another ransomware service that maintains a shaming site, these hackers may begin to incorporate data theft into their ransomware operations more frequently, it warned.
There has been significant attention from the U.S. government to the threats posed by ransomware in recent times, resulting in various steps to curtail the threat, including sanctions and the threat of future sanctions against hackers deploying ransomware and services used by these hackers to facilitate financial transactions, Mandiant said. This elevated attention may make the U.S.-based organizations less desirable as a target for the FIN12 group, who may shift their attention to organizations operating in other areas of the world including nations in Western Europe and the Asia Pacific region.