Mandiant has released a comprehensive report detailing FIN12, an aggressive, financially motivated threat group behind prolific ransomware attacks since October 2018. Almost 20% of the ransomware intrusions Mandiant has responded to in the past year were attributed to FIN12.
FIN12 is unique among many tracked ransomware-focused actors today because they do not typically engage in multi-faceted extortion and have disproportionately impacted the healthcare sector. They are also the first group promoted by Mandiant to a named FIN or financially motivated threat group who specialises in a specific phase of the attack lifecycle—ransomware deployment—while relying on other threat actors for gaining initial access to victims. This specialisation reflects the current ransomware ecosystem, which is comprised of various loosely affiliated actors partnering together, but not exclusively with one another.
According to Kimberly Goody, Director of Financial Crime Analysis at Mandiant, “FIN12 is one of the most aggressive ransomware threat actors tracked by Mandiant. Unlike other actors who are branching out into other forms of extortion, this group remains focused purely on ransomware, moving faster than its peers and hitting big targets. They are behind several attacks on the healthcare system and they focus heavily on high-revenue victims. Nothing is sacred with these actors – they will go after hospitals/healthcare facilities, utilities, critical infrastructure, etc. This illustrates that they choose not to abide by the norms.”
FIN12 victim organisations have been overwhelmingly located in North America; however, there is some evidence that FIN12’s regional targeting has been expanding. Since the first half of 2021, they have targeted twice as many organisations outside North America. These organisations have been based in several countries, including the United Arab Emirates.
The group’s targeting appears to be relatively industry agnostic but the group has disproportionately impacted healthcare organisations even in the midst of the COVID-19 pandemic. Almost 20 percent of observed victims have been in the healthcare industry and many of these organisations operate healthcare facilities. The remaining victims have operated in a broad range of sectors, including but not limited to business services, education, financial, government, manufacturing, retail, and technology.
The average annual revenue of observed FIN12 victim organisations was more than $6 billion and almost all the organisations made more than $300 million, based on data compiled from ZoomInfo. This number could be inflated by a few extreme outliers and collection bias; however, FIN12 generally appears to target larger organisations than the average ransomware affiliate.
Throughout FIN12’s lifespan, the group has relied upon multiple different threat clusters for malware distribution and the initial compromise stage of their operations. FIN12 has likely established close partnerships with these initial access providers; in most incidents where the initial intrusion was identified, FIN12 activity was observed on the same day as the initial access campaign. Most notably, FIN12 shares a close working relationship with the operators of TRICKBOT and BAZARLOADER. Beyond leveraging accesses obtained via these malware families, FIN12 has used overlapping toolsets and services, including backdoors, droppers, and codesigning certificates.
Despite clear patterns across their intrusions, FIN12’s post-compromise TTPs have evolved over time. This type of slow evolution is to be expected of any threat group that maintains operational coherence during a period of months or years. These shifts are likely due to various intersecting factors such as the threat actors learning more about their craft, developing new tools and community relationships, or changes in a threat group’s membership over time. Some of the most important developments in FIN12’s post-compromise TTPs have included changes in the way they’ve relied on TRICKBOT, patterns in their use of post-exploitation frameworks, and the ways in which they’ve obfuscated their BEACON payloads.
Mandiant suspects that FIN12 is likely comprised of Russian-speaking actors who may be located in countries in the Commonwealth of Independent States (CIS). FIN12 has not been observed to have targeted CIS-based organisations and identified partners, and all currently identified RYUK users have spoken Russian. Additionally, GRIMAGENT malware, which Mandiant has only observed in FIN12 incidents to date, contains Russian-language file resources including graphical components containing Russian text.