FIN12 Ransomware Group Specializes in Healthcare Cyberattacks

Nearly 20 percent of FIN12 ransomware group’s cyberattacks were targeted at the healthcare sector, and over 70 percent of attacks were targeted at US-based entities, a new report from Mandiant Intelligence discovered.

The group appears to be Russian-speaking and has been active since at least October 2018, researchers found. Many ransomware groups claim to be morally against targeting critical infrastructure, education, and healthcare entities, making FIN12 stand out from the rest.

“FIN12 is unique among many tracked ransomware-focused actors today because they do not typically engage in multi-faceted extortion and have disproportionately impacted the healthcare sector,” Mandiant explained.

“They are also the first FIN actor that we are promoting who specializes in a specific phase of the attack lifecycle—ransomware deployment—while relying on other threat actors for gaining initial access to victims. This specialization reflects the current ransomware ecosystem, which is comprised of various loosely affiliated actors partnering together, but not exclusively with one another.”

FIN12 typically deploys the Ryuk ransomware variant and has been associated with Cobalt Strike, Beacon, Trikbot, and Bazarloader actors.

Mandiant observed healthcare cyberattacks by FIN12 both before and after the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and HHS issued a warning to the healthcare sector about the threat of ransomware in October 2020.

Almost 85 percent of the group’s cyberattacks have been targeted at organizations based in North America, but Mandiant observed twice as many victims outside of North America in the first half of 2021 alone compared to 2019 and 2020 combined.

“We believe that the most significant factor in FIN12’s targeting calculus has been a victim’s annual revenue,” the report continued.

“The vast majority of known FIN12 victims have more than $300 million USD in revenue, based on corporate financial data compiled from ZoomInfo. While this data is skewed to our direct visibility, FIN12 does appear to consistently target larger companies in comparison to the average ransomware affiliate.”

FIN12 exclusively used Trickbot accesses to launch their ransomware attacks until March 2020, when they took a four-month hiatus. When the group returned in August 2020, they had diversified their access vectors to those that aligned closely with other underground bad actors seeking partners who could deliver Citrix accesses for Ryuk ransomware operations.

The group is extremely efficient and managed to halve its time-to-ransom (TTR), or the amount of time from when they access an environment to when they deploy ransomware, from 2020 to 2021. Mandiant found that the group can go through the lifecycle of a cyberattack in just 2.5 days, allowing for sophisticated and financially lucrative attacks.

“While threat actors running ransomware-as-a-service (RaaS) outfits have an important role in multifaceted extortion attacks, the focus on the branding and communication components of these services can detract from other important players,” the report observed.

“Intrusion actors, such as FIN12, may arguably play a more pivotal role in these operations, yet have received marginal attention.”

Other ransomware groups have garnered significant attention from government agencies after high-profile cyberattacks disrupted critical infrastructure. The Health Sector Cybersecurity Coordination Center (HC3) recently released a threat brief on BlackMatter ransomware, a group that claimed to be against targeting hospitals, government agencies, and critical infrastructure.

The group’s assurances did not give the healthcare sector peace of mind. While some groups claim to be morally against targeting specific entities, many put those morals aside for the potential of a big payout, HC3 warned.

FIN12 appears to be one of the most significant ransomware threats to the healthcare sector to date, and organizations should maintain heightened security to prevent and mitigate cyberattacks.