A Russian-speaking ransomware gang in recent months has aggressively targeted North American organizations with more than $300 million in revenue, with a ruthless focus on the health care sector amid the COVID-19 pandemic, according to new findings.
The threat intelligence firm Mandiant published details Thursday about a group it calls FIN12, a gang that moves quickly and uses an array of established hacking tools to infiltrate its targets. Over the past year, hackers have kept investigators busy, accounting for 20% of the ransomware incidents that Mandiant has responded to, with the next highest attackers at 5%, according to Kimberly Goody, the company’s director of cyber crime analysis.
“They have a significantly higher cadence of attacks from our perspective,” she said. “We also see that, unlike other threat actors, this group has also aggressively pursued victims in critical sectors like health care, even during the pandemic, which had resulted in several actors saying that they wouldn’t target those organizations. So FIN12 has shown that they are very aggressive and brazen in who they target.”
The designation comes during a big year for ransomware, with attacks on Colonial Pipeline, JBS and Kaseya elevating the topic to White House attention. The Biden administration recently announced plans to bring together 30 nations to speed up cooperation on cybercrime, and to focus more attention on illicit cryptocurrency usage.
While Mandiant did not identify any victims by name, researchers say FIN12 has distinguished itself in a criminal field where gangs rise, fall and re-organize constantly. The roster of fellow emergent gangs that cyber threat firms have spotlighted since the summer include Atom Silo, BlackMatter, Haron, Prometheus and several others. (“FIN” is the label that Mandiant designates to financially-motivated hacking outfits. It’s the first group to earn a FIN designation from Mandiant since October 2020, and the second since mid-2017.)
Unlike many other groups, FIN12does not rely on “double extortion,” a technique in which hackers lock up a victim’s data, and then threaten to publish without payment. By avoiding double extortion, Goody says FIN12 doesn’t need to linger in targets’ systems as long to exfiltrate information. For the average ransomware incident Mandiant responded to, attackers remained inside systems for five days, compared to less than two days for FIN12, according to the report.
One of the reasons: It goes after targets it fully expects to pay swiftly with minimal negotiation because their systems are too valuable to keep down, like hospital networks. (Of the attacks Mandiant has seen, nearly 20% are in the health care sector.) Its preferred targets tend to be companies with over $300 million in revenues.
While some ransomware gangs have said they would shy away from attacking hospitals, FIN12 has continued, perhaps because they have enjoyed a level of anonymity enjoyed by few other groups, said John Hultquist, vice president for Mandiant Threat Intelligence.
“These guys have been able to hide in the shadows behind brand names and confusion and all this quite a bit, and they’ve never really been implicated for all the terrible things that they’ve been involved in,” Hultquist said.
The group most often has used Ryuk malware, a popular strain. Mandiant said FIN12 has long maintained a partnership with the operators of the TrickBot botnet, an army of hacked computers that attackers use to aid their crime sprees.
Its partnerships have further helped FIN12 move swiftly, Goody said.
“Rather than having to spend the time to conduct all of these initial access operations to actually compromise victims and put a backdoor there, they’re relying on other threat actors to do that piece of the job for them,” she said.
The number of ransomware gangs has proliferated this year, said Sean Nikkel, senior cyber threat intelligence analyst for the firm Digital Shadows. From the first quarter of the year to the second, Digital Shadows went from tracking a little more than a dozen major groups to approximately double that number.
In some cases, groups are evolving, splintering or re-forming under new names, but the larger trend is that more criminals are recognizing the profitability of ransomware, he said.
“There’s so much money to be made in this space,” Nikkel said. “Even in a small attack, you’re still looking at hundreds or thousands of dollars, and some of them are getting into the millions.”