FIN12 Ransomware Group Actively Attacks the Healthcare Industry

Ransomware is presently the major cyber threat confronted by the healthcare sector. Attacks usually sabotage healthcare IT programs for many weeks or months making medical records inaccessible. One Ponemon Institute/Censinet research reveals that attacks cause treatment slow downs, even more complications, poorer patient results, and a rise in mortality rates.

A number of ransomware groups have publicly expressed they will cease to target the healthcare sector, however that is not the case with FIN12. Based on a newly published review by Mandiant, 20% of the attacks performed by the ransomware group were on the healthcare sector.

FIN12 is a high profile ransomware group that attacks big game targets. Nearly all the FIN12 victims earn over $300 million revenues per year, with a $6 billion average more or less. Since 2018, FIN12 is active and mostly attacked North America. Though the group has lately extended geographically and also attacks the Asia Pacific and Europe, the most often targeted sectors are healthcare, financial, education, technology, and manufacturing.

Mandiant states that FIN12 is the most productive ransomware actor it monitors. It is behind approximately 20% of all ransomware attacks the agency responds to, so it is the most often active ransomware deployment actor.

It is not clear why FIN12 attacks the healthcare sector when other ransomware-as-a-service operations do not. Mandiant thinks that because healthcare providers need to quickly gain back access to patient information, it is more likely that they will pay the ransom easily. In other sectors, negotiations with victims may last for weeks.

Mandiant is convinced that FIN12 is a professional ransomware deployment actor that utilizes initial access brokers (IABs). IABs usually get a percentage of any ransom payments generated, though certain ransomware operations give a flat rate. Mandiant has found proof that FIN12 usually gives 30-35% of the ransom to the IAB.

TrickBot is one of the IABs widely utilized by FIN12. It is a botnet operation that offers persistent access to the networks of victims. The group has additionally joined with the BazarLoader operation and lately has bought credentials to be able to login to Citrix systems. FIN12 normally deploys the variant Ryuk ransomware, which can spread all through a network and corrupting and encrypting information on several systems.

As opposed to a lot of ransomware actors that spend weeks within the network of a victim prior to deploying ransomware, FIN12 makes quick attacks, less than 4 days of average time-to-ransom (TTR). The group seems to be putting speed first in its attacks while the TTR is decreasing. A few of the current attacks had 2.5 days TTR. These efficiency increases are allowed by their expertise in just one stage of the attack lifecycle, which enables threat actors to build expertise faster, explains Mandiant.

Mandiant states the gang sticks out from other ransomware actors since multifaceted extortion is quite uncommon. It is currently very usual for information to be exfiltrated before ransomware deployment and for threat actors to threaten to post the stolen information when victims don’t pay. Mandiant says the choice not to participate in information theft is probably because of the impact it may have on the TTR. When FIN12 exfiltrated information, the attack’s TTR was approximately 12.5 days.

Although victims might be more probable to pay the ransom because of the threat of data exposure, there’s additionally a greater risk of detection before file encryption. The obvious success of FIN12 without using extra extortion methods indicates the idea that they don’t think spending more time to steal information is worth the risk of getting their plans thwarted.