Researchers have uncovered an “aggressive” ransomware actor, FIN12, which has been launching a barrage of attacks against the U.S. healthcare sector since at least October 2018.
A recent report from a team of researchers at Mandiant illustrated how FIN12 attackers have improved the efficiency of their attacks over the past three years, while targeting high-value victims and medical facilities. Almost 20 percent of the group’s observed victims have been in the healthcare industry.
“FIN12 is unique among many tracked ransomware-focused actors today because they do not typically engage in multi-faceted extortion and have disproportionately impacted the healthcare sector,” said researchers with Mandiant in their report.
FIN12 actors have relied on publicly available tools as part of their ransomware attacks. The attackers were observed utilizing the TrickBot malware as an initial access vector until March 2020. Then, after August 2020, they began to diversify their partnerships for obtaining initial access into victim organizations, which, researchers said, helped increase the volume and efficiency of the attacks.
After establishing an initial foothold on victims’ systems, FIN12 attackers then typically deployed various tools to maintain persistence, escalate their privileges, move laterally in the network and conduct internal reconnaissance. In the final stage of the attack, the group would deploy the Ryuk ransomware, though researchers observed at least one instance where the Conti ransomware was instead used.