Share this article on:
Ransomware is currently the biggest cyber threat faced by the healthcare industry. Attacks often cripple healthcare IT systems for weeks or months and prevent medical records from being accessed. One study by the Ponemon Institute/Censinet shows attacks result in treatment delays, an increase in complications, poorer patient outcomes, and an increase in mortality rates.
Several ransomware gangs have publicly stated they will not attack the healthcare industry, but that is certainly not true of FIN12. According to a recently published analysis of the ransomware actor by Mandiant, around 20% of the attacks conducted by the group have been on the healthcare industry.
FIN12 is a prolific ransomware actor that focuses on big game targets. Almost all the victims of FIN12 have annual revenues over $300 million, with an average of almost $6 billion. FIN12 has been active since at least 2018 and has largely targeted North America where 85% of its attacks have occurred, although the gang has recently expanded geographically and now also conducts attacks in Europe and the Asia Pacific region. The most frequently targeted industries are healthcare, education, financial, manufacturing, and technology.
Mandiant says FIN12 is the most prolific ransomware actor it tracks that focuses on high value targets. Around 20% of all ransomware incidents the company responds to are conducted by FIN12, which makes it the most frequently encountered ransomware deployment actor.
The reason why FIN12 targets the healthcare industry when many ransomware-as-a-service operations do not attack the healthcare sector is not entirely clear. Mandiant suggests the need for healthcare providers to regain access to patient data quickly is likely the key factor. Healthcare providers are more likely to pay the ransom and more likely to pay the ransom quickly, whereas negotiations with victims in other sectors may drag on for weeks.
Mandiant believes FIN12 is a specialist ransomware deployment actor that uses initial access brokers (IABs). IABs provide the access and credentials FIN12 requires to conduct its attacks. IABs typically receive a cut of any ransom payments that are generated, although some ransomware operations pay a flat rate for access. Mandiant has seen evidence that FIN12 pays a percentage of the ransom to the IAB, usually around 30%-35%.
One of the IABs extensively used by FIN12 is TrickBot, a botnet operation that sells persistent access to victims’ networks. The group has also partnered with the BazarLoader operation, and more recently has branched out and appears to have purchased credentials to login to Citrix environments. FIN12 most commonly deploys Ryuk ransomware, a ransomware variant that is capable of spreading throughout a network and infecting and encrypting data on multiple systems.
In contrast to many ransomware actors which spend weeks inside a victim’s network before deploying ransomware, FIN12’s attacks are rapid and have an average time-to-ransom (TTR) of less than 4 days. The gang appears to be prioritizing speed in its attacks as the TTR has been decreasing. Some of the recent attacks have had a TTR of just 2.5 days. “These efficiency gains are enabled by their specialization in a single phase of the attack lifecycle, which allows threat actors to develop expertise more quickly,” says Mandiant.
Mandiant says the gang stands out from other ransomware actors as multifaceted extortion is relatively rare. It is now very common for data to be exfiltrated prior to the use of ransomware and for ransomware gangs to threaten to publish the stolen data if victims do not pay. Mandiant suggests the decision not to engage in data theft is likely due to the effect it would have on the TTR. In attacks where FIN12 has exfiltrated data, the TTR was around 12.5 days.
While victims may be more likely to pay the ransom due to the threat of public shaming and data exposure, there is also a much higher risk of detection prior to file encryption. “FIN12’s apparent success without the need to incorporate additional extortion methods likely suggests the notion that they do not believe spending additional time to steal data is worth the risk of having their plans to deploy ransomware thwarted,” suggests Mandiant.