Researchers have uncovered an “aggressive” ransomware actor, FIN12, which has been launching a barrage of attacks against the U.S. healthcare sector since at least October 2018.
A recent report from a team of researchers at Mandiant illustrated how FIN12 attackers have improved the efficiency of their attacks over the past three years, while targeting high-value victims and medical facilities. Almost 20 percent of the group’s observed victims have been in the healthcare industry.
“FIN12 is unique among many tracked ransomware-focused actors today because they do not typically engage in multi-faceted extortion and have disproportionately impacted the healthcare sector,” said researchers with Mandiant in their report.
FIN12 actors have relied on publicly available tools as part of their ransomware attacks. The attackers were observed utilizing the TrickBot malware as an initial access vector until March 2020. Then, after August 2020, they began to diversify their partnerships for obtaining initial access into victim organizations, which, researchers said, helped increase the volume and efficiency of the attacks.
After establishing an initial foothold on victims’ systems, FIN12 attackers then typically deployed various tools to maintain persistence, escalate their privileges, move laterally in the network and conduct internal reconnaissance. In the final stage of the attack, the group would deploy the Ryuk ransomware, though researchers observed at least one instance where the Conti ransomware was instead used.
Faster Attacks on High-Value Targets
Over the past year, FIN12 actors quickened the pace of their attacks, which researchers believe may have helped them avoid being discovered. In the first half of this year, researchers said it took the group an average of two and a half days to deploy ransomware after initially accessing an environment - a significantly faster duration than the average of 12.5 days in 2020.
FIN12 attackers have notably shied away from multifaceted extortion attacks, allowing them to launch speedier operations. Attackers that use double or triple extortion methods also steal victim data or even contact victims’ customers in addition to demanding a ransom, putting further pressure on victims to pay up. Multifaceted extortion ransomware attacks have become commonplace, with researchers with Trend Micro in September noting that this year the number of ransomware attacks that relied on at least three or four extortion methods has increased.
FIN12 stands out in focusing on high-value targets, estimating that the majority of the group's known victims have more than $300 million in revenue (based on corporate financial data compiled from ZoomInfo). The group has also been observed expanding beyond North America to also target organizations in Europe and Asia Pacific, said researchers.
“This shift could be due to various factors such as FIN12 working with more diverse partners to obtain initial access and increasingly elevated and unwanted attention from the U.S. government,” they said.
'No Target is Off Limits'
The implications of ransomware attacks against healthcare companies are particularly dire given the critical nature of the systems used in medical facilities and hospitals. With the COVID-19 pandemic further overwhelming some hospitals with patients in 2020, security experts have warned of ransomware attacks' potential for disruption.
“FIN12’s operations provide illustration that no target is off limits when it comes to ransomware attacks, including those that provide critical care functions,” said researchers with Mandiant. “This targeting pattern deviates from some other ransomware threat actors who had at least stated an intention to show restraint in targeting hospitals, especially throughout the COVID-19 pandemic.”
Other actors, like FIN12, have in the past years doubled down on targeting the healthcare industry, with Ryuk ransomware attacks increasing in 2020. Allan Liska, senior intelligence analyst at Recorded Future, said that attackers are quickly evolving their tactics, making it difficult for defenders in the healthcare industry to keep up.
“If anything, there are more ransomware attacks, and they’re becoming more impactful,” he said. “As the ransomware actors are getting more familiar with healthcare providers, they’re figuring out how to enact more damage. So we’re seeing attacks not just on single hospitals, but on entire hospital networks. Ransomware actors have learned a lot about the healthcare industry on the job and unfortunately they’re taking advantage of that.”