Tryfonov - stock.adobe.com

Fast-moving Ryuk campaign targets healthcare organisations

Newly designated FIN12 gang leverages the work of the cyber criminal ecosystem to conduct lightning-fast ransomware attacks

A newly designated cyber criminal group is foregoing the widespread double extortion tactic in favour of a more retro approach to ransomware, as it mercilessly targets healthcare organisations using Ryuk.

Dubbed FIN12 by the Mandiant threat researchers who have been tracking it for over a year now, the gang has been responsible for approximately 20% of all ransomware intrusions Mandiant has responded to in the past 12 months.

The majority of its attacks have culminated in the deployment of Ryuk against its targets – although there is also evidence it is a minor affiliate of Conti. FIN12 – the FIN refers to “financially motivated” in Mandiant’s lexicon – is notable in particular because its average time-to-ransom is approximately two and a half days, about twice as fast as other actors.

Mandiant said this highlighted a growing concern that both larger teams and increased efficiency mean that such gangs are improving their overall volume of victims.

“FIN12 is one of the most aggressive ransomware threat actors tracked by Mandiant,” said Mandiant’s director of financial crime analysis, Kimberly Goody. “Unlike other actors who are branching out into other forms of extortion, this group remains focused purely on ransomware, moving faster than its peers and hitting big targets.

“They are behind several attacks on the healthcare system and they focus heavily on high-revenue victims,” she said.

“Nothing is sacred with these actors – they will go after hospitals and healthcare facilities, utilities, and critical infrastructure. This illustrates that they choose not to abide by the norms.”

Read more about ransomware

Jamie Collier, a cyber threat intelligence consultant at Mandiant, said that while the Russia-based gang had largely confined its targeting to North American organisations, it now posed a rising threat on this side of the Atlantic Ocean.

“Mandiant has observed a significant uptick in FIN12 operations targeting European organisations since the beginning of 2021, including those based in France, Ireland, Spain and the UK,” he said.

“FIN12 is known for targeting large organisations with significant revenues. Europe provides ample opportunities for cyber criminals to exploit, given the sheer number of large economies as well as various large multinationals that have their headquarters located in the continent.

“FIN12’s increased targeting outside of North America is emblematic of a wider trend, with the cyber crime threat growing increasingly severe in Europe,” said Collier. “Despite the large number of developed economies, the cyber security maturity of European organisations is relatively mixed. This presents clear opportunities for cyber criminals to exploit entities that are still developing their cyber security posture.”

Mandiant said the targeting of European healthcare organisations was of particular concern because, since many more European countries run national healthcare systems, such as the NHS, a cyber attack would have a far wider impact on people’s lives than an attack on a privatised American healthcare business.

Its research team added that the increased focus on fighting back against ransomware attacks at the highest levels of the US government, with threats of real-world repercussions including crackdowns on money laundering through crypto exchanges, was likely also making it less desirable for gangs such as FIN12 to operate in the US.

Ransomware blitzkrieg

The blitzkrieg nature of a FIN12 attack has become possible due to the hard work of others in the underground cyber criminal network, and takes full advantage of a network of collaborators to accomplish its goals – nor is it the actor behind Ryuk or Conti, merely an active affiliate. Essentially, it acts as the final stage in a chain of events leading up to the execution of ransomware on a target network.

It works closely with actors associated with the development of Trickbot and other malwares, such as Bazarloader, as an initial intrusion vector, and these close relationships seem to have opened the door to a more diversified resource-sharing model in the past 18 months or so. FIN12 now seems to be seeking out other threat actors’ tools and services to increase the efficiency of its attacks.

Having obtained access, FIN12 almost always uses Cobalt Strike to interact with victim networks as it moves through the final phases of the attack – the gang seems to have settled on Cobalt Strike as its preferred tool in about February 2020. It uses a number of other tactics to maintain presence, move laterally and elevate its privileges, prior to executing Ryuk.

Mandiant said that while FIN12 relies heavily on others to obtain access to organisations, it likely has some input into the selection of its victims, as evidenced by its targeting of healthcare bodies with revenues of more than $300m. The research team believes that FIN12’s partners and friends cast a wide net and then let FIN12 choose from a list of victims once access is established.

Read more on Hackers and cybercrime prevention