Aggressive Ransomware Group FIN12 Moves Fast, Targets Big Companies
A report published by Mandiant on Thursday details the activities and tools of FIN12, a highly aggressive ransomware group that has likely made a significant amount of money over the past years.
The threat group, tracked until now by Mandiant as UNC1878, has been around since at least October 2018. The UNC classification is assigned to “uncategorized” entities before the cybersecurity firm can determine with certainty if it’s a financially-motivated group (FIN) or a state-sponsored advanced persistent threat actor (APT).
FIN12 has mostly used the Ryuk ransomware in its attacks and it has relied on other cybercrime groups for initial access into victims’ environments. Until March 2020, they mostly relied on access obtained by operators of the Trickbot trojan, but later they started leveraging other malware, as well as remote Citrix and RDP logins using credentials that were likely obtained on underground forums.
Unlike other ransomware gangs, FIN12 in most cases does not spend time stealing valuable information from victims’ environments before encrypting their data and making a ransom demand. Instead, they appear to prioritize speed — researchers determined that, on average, they only spend less than three days in the victim’s network before encrypting files and making their presence known with a ransom demand.
In addition, they only seem to target organizations that have a revenue of at least $300 million — the average annual revenue of FIN12 victims known to Mandiat was over $6 billion.
Cybercrime groups using the Ryuk ransomware typically demand a ransom ranging between $5 million and $50 million.
Kimberly Goody, director of financial crime at Mandiant, told SecurityWeek that while they don’t typically have direct insight into victim negotiations, based on their observations, FIN12’s ransom demands ranged from $1 million to $25 million.
“Even if a small percentage of victims paid a ransom, FIN12 had the potential to receive tens of millions per month,” Goody said. “While it isn’t a direct one to one comparison to FIN12, we know more broadly that ransomware operations deploying RYUK have been highly profitable. A prior analysis that we did of victim communications illuminated the high profits that ransomware threat actors can net. Payments received by cryptocurrency wallet addresses between Jan 2019 and April 2020 that we suspect were largely affiliated with RYUK victim ransom payments, although not exclusively FIN12 victims, totaled more than $150 million USD. These profits are significant and can be reinvested into both people and tools used to improve the efficacy of future operations.”
The group has targeted a wide range of industries, including many healthcare organizations, which some ransomware gangs have pledged to avoid. Mandiant said 20 percent of FIN12 victims are in the healthcare sector.
A majority of the organizations targeted by FIN12 were located in North America, with 71 percent located in the U.S. and 12 percent in Canada. However, researchers believe the group’s regional targeting has been expanding, including to Europe and the APAC region.
One region they have not targeted is the Commonwealth of Independent States (CIS), which includes Russia and other former Soviet countries. In fact, Mandiant says the cybercriminals are Russian speakers and they likely operate from a CIS country.
According to Mandiant, FIN12 took an extended break during the summer of 2020 and there was also some downtime in early 2021, around the holidays. Joshua Shilko, principal technical analyst at Mandiant, told SecurityWeek that the group now appears to be on a break since early June 2021.
“While this may indicate that they’ve gone separate ways or something, it’s not uncommon in their history for them to have these breaks. And when they do return, there’s a few things we would expect,” Shilko said. “Their TTPs, their playbook has largely remained the same for nearly three years, which is pretty remarkable. When they do make changes, they make ones that are impactful and help to avoid detection, things like changing the obfuscation, changing their in memory loaders, changing their Malleable C2 profiles, sometimes switching up their post-intrusion frameworks. So, even though we haven’t seen them for a couple months here, we have no illusions about them being gone forever.”
Mandiant’s report on FIN12 includes information on victimology, initial access, TTPs, use of malware and criminal services, monetization, and origins.
Mandiant was until recently part of FireEye. However, the FireEye Products business and the FireEye name were sold earlier this year to private equity firm Symphony Technology Group (STG) for $1.2 billion. Mandiant officially announced this week that its corporate name has changed from FireEye to Mandiant, and its common stock ticker symbol on Nasdaq has changed from FEYE to MNDT.