Genevieve Stark, senior analyst at Mandiant Threat Intelligence, and Joshua Shilko, principal technical analyst at Mandiant Threat Intelligence, recently joined Lindsey O'Donnell-Welch to give a background look into how they uncovered a new ransomware threat group called FIN12. Below is a condensed and edited version of the conversation.
Lindsey O’Donnell-Welch: You released a report on FIN12, a new ransomware group that you had recently discovered. I always find the background and the behind-the-scenes effort that goes into these threat reports fascinating, especially when it's a group like FIN12 that's previously undiscovered. Can you talk a little bit about how you first discovered the activity associated with FIN12?
Joshua Shilko: Yeah, I could talk about that a little bit. So FIN12 started out its existence in January of 2020, as what we call an uncategorized group or an UNC group. In particular, we call this UNC group UNC1878. At that time, we were tracking deployment of beacon payloads with a specific server profile or fingerprint that was being deployed shortly after initial infections by TrickBot. After a few more of the incident responses with the same activity, it became clear that these incidents were regularly leading to Ryuk ransomware. Since that time, we've analyzed over 50 related incidents, we've merged together 14 additional UNC groups - All that prior to graduating on UNC1878 to become FIN12, which was the topic of the report you mentioned. So those mergers that we did were based on a variety of overlaps, including infrastructure, ransomware, deployment techniques, tool usage and configuration details. And that all leads to the timeline of activity that we have now, which ranges from late 2018 through June of this year.
Lindsey O’Donnell-Welch: When you're talking about the naming designation, you mentioned UNC, and that means uncategorized threat group. When a group graduates and becomes officially named, like in this case, FIN12, what does that categorization represent, and at what point do you make that categorization?
Genevieve Stark: So we call this process of promoting a threat cluster from an UNC to a FIN or an APT a "graduation." And we have a lot of different groups we've graduated, but it's a small portion of our overall number of UNCs. We've actually been tracking over 3,000 threat groups or threat clusters over the past decade. And we have I think about 41 APTs and now 12 FIN groups. So you can see it's just a small portion of what we've tracked. So we know a lot of these UNCs are financially motivated, or they are espionage groups, but they don't get promoted. So why do we decide to promote some of these? There are a few different criteria we use there - for example, we look at impact. Has the group impacted a large number of our customers? Or has that impact been really, really significant? We look at the amount of insight we have, in the case of FIN12 we have so many different IRs we've responded to, so we have a high level of insight into their operations over a course of several years. We also look at how the groups reflect broader trends. And so for FIN12, obviously one of the major concerns from the industry and the government right now is ransomware. So we wanted to highlight one of those ransomware groups and particularly one that focuses on the post-compromise deployment of ransomware and works with other partners for other aspects of their operations.
Lindsey O’Donnell-Welch: Obviously ransomware is such a big deal right now - What stuck out to you specifically about FIN12 as a ransomware group, when you're looking at some of these other trends that we're seeing with the ransomware marketplace in general?
Genevieve Stark: I think one thing that's interesting is that this group has continued to use Ryuk ransomware almost exclusively for several years, while we see a lot of other groups switching between ransomware families, so that is a little bit atypical.
Lindsey O’Donnell-Welch: What was really interesting too was that while multifaceted extortion tactics are extremely popular these days with ransomware groups, that FIN12 was unique because it didn't use these multiple tactics.
Joshua Shilko: Yeah so, we don't know if it was a conscious decision, when they started out, that they said they were going to do this, but it's clearly what they have done. And we suspect that their avoidance of data theft, and other extortion types, is a conscious decision, made to prioritize speed and the number of victims that they can actually extort. So when you think about finding, stealing and exfiltrating relevant data, it takes a lot of time, especially if you want things that are valuable enough to actually have a victim carry through on a ransom payment. And they may just not find that worthwhile. In the few incidents where FIN12 did exfiltrate data, they spent an average of five times longer in the network before deploying ransomware compared to the ones where they didn't, which was the vast majority, well over 90 percent. And that, of course, provides more opportunities to be detected. So effectively, the advantage is that they're completing their objective more quickly, and having their efforts thwarted less often.
Genevieve Stark: And I think it's interesting to note here that their average time-to-ransom, or the time they access the network until they actually deploy ransomware, is about two and a half days when they haven't conducted any data theft extortion. And in many cases, they've actually been able to deploy ransomware within 24 hours of obtaining access to that victim network. So they are very fast.
Lindsey O’Donnell-Welch: Are you seeing this strategy work more for FIN12, as opposed to other ransomware actors who maybe take a little bit longer, but are also kind of pushing victims a little bit harder in terms of threatening to leak their data?
Genevieve Stark: It's challenging to make a direct comparison because many organizations that are impacted by ransomware attacks choose not to publicly disclose those attacks or subsequent payments. But that being said, in the past year, we've attributed 20 percent of ransomware intrusions we've responded to, to FIN12. And the next most prolific group is only responsible for 5 percent of these intrusions.
Joshua Shilko: So from the perspective of deploying ransomware on a large number of victim networks, they're definitely successful. It's possible that actors leveraging other extortion techniques have a higher conversion rate, as far as ransom payments go, but FIN12’s tactics of encrypting as many victim networks as possible, and also selecting high value victims who they believe are willing and able to pay, is almost certainly working out for them, as they've continued to operate in this manner. We would suspect that we would see a pivot to more frequent data theft if they weren't being successful.
"I think one thing that's interesting is that this group has continued to use Ryuk ransomware almost exclusively for several years, while we see a lot of other groups switching between ransomware families, so that is a little bit atypical."
Lindsey O’Donnell-Welch: Are other ransomware actors starting to take note of these approaches and revert back to prioritize timeliness and speed of attack versus negotiations?
Genevieve Stark: It's certainly possible, but I don't think we've seen evidence to suggest that's happening. That being said, I think that part of this isn't just about prioritizing efficiency. We've seen a lot more attention on ransomware from the U.S. and many other governments. And that could increase the pressure on these actors. So we may see some actors move away from data theft extortion, just because these shaming sites bring additional publicity to their operations and maybe additional scrutiny.
Lindsey O’Donnell-Welch: You bring up the pressure that ransomware actors are seeing now from governments and across the board. Ransomware has been a big issue for critical infrastructure and for a ton of different industries over the past year, but we are also seeing a lot of collaboration, as seen with the recent White House Summit, to discuss ways to collaborate and mitigate ransomware attacks. What are the best ways that the security industry can work with government and private sector entities in going head to head with some of these attackers?
Genevieve Stark: I think one of the exciting things about the recent meetings that the White House announced is that it’s increasing information sharing with some of our international partners. A lot of these ransomware actors have infrastructure all over the world. So if the private sector and the security industry can share information about this infrastructure with law enforcement, the law enforcement can use these partnerships to hopefully gain access to some of this infrastructure and maybe be able to see where some of these attacks are originating from. So I think that could help them track down some of the activity. And the nice thing about that is, it's going after the actual actors deploying ransomware. And a lot of the other law enforcement attraction is focused on the actors that are monetizing the operations at the end, maybe conducting money laundering or other cash out operations.
Lindsey O’Donnell-Welch: I also wanted to ask about FIN12’s victimology. A significant amount of the observed victims are in the healthcare industry. Can you talk a little bit about the top risks and security challenges for the healthcare sector and why cybercriminals might be drawn to this specific industry?
Joshua Shilko: Yeah, and we should note that many actors, including several high profile ransomware groups actually claimed that they would refrain from targeting healthcare organizations during the pandemic. So while it's hard to say whether these actors actually followed through on this promise, it's pretty clear that FIN12 themselves were undeterred. They definitely prioritize high revenue victims, but some of the other considerations, like an organization's security posture and how likely an organization is to pay also certainly play a role. And in the case of healthcare organizations, there's a perception that they're willing to pay, even if it is due to how critical uptime is for them.
Genevieve Stark: I think one of the other things to consider is that since many of these actors claim that they will not target healthcare entities, it's possible that these accesses may be cheaper to obtain. We've talked briefly about how FIN12 doesn't obtain access to victim networks themselves, they rely on partners to obtain these accesses. And so if other people are not requesting access to healthcare entities or are refusing to buy those accesses, FIN12 may be able to sweep in and get them at a cheaper rate, or just get higher quantities of access to that type of victim.
Lindsey O’Donnell-Welch: Do you see FIN12 continuing to evolve in the future? Are there any clues that show what the future will be for the group?
Joshua Shilko: So we've actually seen a lull in their activity since around June of this year. However, this isn't the first time that we've seen a break in their activity. The group was inactive from March to August of 2020. They took another brief break earlier this year. So it's not uncommon for them to take a hiatus here and there. Historically, when there's been a lull in activity, and then they come back, they'll come back with new tools or utilize new initial access partners, but they're essentially carrying out the same blueprint throughout the entirety of their existence. So it wouldn't be surprising to see that happen once again. As far as looking forward, there are some trends over the incidents that we've seen in 2021, that might give us some clues to what they may do when they come back. We've seen FIN12’s targeting expand quite a bit during 2021. Eighty-five percent of their historical targeting has been in North America with about 70 percent being in the United States. In 2021 alone, we saw more than twice as many victims outside of North America, as we saw in 2019 and 2020 combined. So it does seem that they've been shifting their victimology, and that may continue once they return.
Lindsey O’Donnell-Welch: When you were tracking FIN12 were there any clues that gave any hints about who might be behind the group?
Genevieve Stark: We believe that FIN12 is comprised of Russian speaking individuals located in one or more Commonwealth of Independent States nations. This is based on a number of factors. There are Russian language resources and a tool that we believe is exclusive to the group. They have an established partnership with Russian speaking TrickBot actors. We have not observed targeting of other CIS nations, which is typical for those actors that reside in CIS nations. And then all of the actors we've identified that claim to use Ryuk have communicated in Russia. I will say though, we get this question a lot: Do you believe that there's any relationship between FIN12, and let's say, the Russian government and other government entities? And one of the things I want to note is that it doesn't necessarily matter if there's a direct link between these groups, because countries like Russia benefit from these ransomware operations, regardless of any direction, or relationship they have. There's a strategic advantage to Russia as we focus on ransomware operations, and combating ransomware as opposed to our traditional intelligence priorities.
Lindsey O’Donnell-Welch: Can you talk a little bit more about the ransomware industry in general and some of the top trends that you're seeing there for ransomware attacks or the threat groups that are launching these types of attacks?
Genevieve Stark: The actors are relying very heavily on publicly available tools and utilities, and post-exploitation frameworks or exploitation frameworks, such as Cobalt Strike, Metasploit. So in many ways the techniques and the tools they're using aren't actually that notable.
Joshua Shilko: Genevieve brings up a good point here in noting that their backdoor of choice since early 2020 has been Cobalt Strike, which makes things really challenging since it's just so commonly in use, not just within the ransomware ecosystem, but just in general by various actors. So in order to differentiate between FIN12’s use and that of other groups, we spend a lot of time looking at hosting providers, domain providers, configuration details, valuable C2 profile usage, certificate usage, as well as the TTPs that are seen in activity that stems from these beacon instances, you know, which in the case of FIN12, we see some really distinct techniques and methods around their actual deployment of ransomware, the way they conduct internal reconnaissance. So it's not enough to say that FIN12 is a group that has sourced access from TrickBot, uses beacon and deploys Ryuk, because that's not unique enough to actually define what they are. It's actually those posts-exploitation TTPs that are important to look at, too.
Genevieve Stark: And looking at the broader ransomware ecosystem, it really is challenging from an attribution perspective. And part of it is these overlapping TTPs. But it's also that the relationships between these actors and these partnerships are very fluid. And so you can have an actor that provides initial access, that provides accesses to multiple brands or groups. And you might have an actor that specializes in post-compromise ransomware deployment that deploys multiple ransomware families. And so it's kind of a very complicated web. And we have to look at overlaps at all these different phases to try to narrow in on what TTPs are specific to this group, what could be an actor moving between groups. And in some cases, you just have to make an educated guess. In many intrusions at this point, we will have attributions spread across two or three threat groups. We might have one threat group responsible for initial access, another for the ransomware deployment and then finally, the ransomware as a service operator.