Ransomware Group FIN12 Targeting Healthcare Sector

RYUK ransomware attacks linked to a financially motivated aggressive threat actor have been identified since October 2018, while maintaining close partnerships with cybercriminals affiliated with TrickBot and utilizing a publicly available arsenal of tools like Cobalt Strike Beacon payloads to interact with victim networks, according to The Hacker News.

Russian-speaking hackers, now known as FIN12 and formerly known as UNC1878, were responsible for the intrusions, according to cybersecurity firm Mandiant. The hackers targeted healthcare organizations with annual revenues exceeding $300 million, as well as educational institutions, financial services firms, and manufacturers and technology firms in North America and Europe as well as Asia Pacific.

As a result of the designation, a ransomware-affiliated group is now considered a separate threat actor. Mandiant researchers claim that FIN12 relies on partners to gain access to victim settings at the start of the attack. In contrast to previous ransomware threat actors, FIN12 tends to favor quickness and higher income victims over multidimensional extortion.

It's not new for ransomware to make use of first access brokers to make the attack easier. There were findings from Proofpoint's June 2021 research that ransomware actors increasingly buy access through cybercriminal enterprises that have already infiltrated major organizations, with Ryuk infections mainly leveraging malware families like TrickBot and BazaLoader that have already infiltrated major entities.

The average cost of network access from July 2020 to June 2021 was $5,400, according to cybersecurity firm KELA's in-depth investigation of first access brokers in August 2021. Additionally, some players have taken an ethical stance against trading access to healthcare organizations. Targeting the healthcare industry by FIN12 shows that its initial access brokers cast a larger net, and that if access has already been secured, FIN12 players can choose from a list of victims.

Phishing tactics are used by cybercriminals to acquire first access to their targeted networks

Threat actors gained entry to the network using phishing email campaigns disseminated internally from compromised user accounts in May 2021, before the deployment of WEIRDLOOP and Cobalt Strike Beacon payloads. This was noticed by Mandiant in May 2021, the company added According to reports, attacks carried out between the middle of February and the middle of April of 2021 used remote logins to steal Citrix credentials from their targets.

To maintain a foothold in the network and conduct out later-stage operations, such as reconnaissance, malware delivery, and the deployment of ransomware, FIN12 was employing TrickBot as of late 2019. In the meanwhile, the group has depended on Cobalt Strike Beacon payloads for post-exploitation activity, which has becoming increasingly common.

FIN12 does not use data theft extortion, a strategy used to release exfiltrated data if victims refuse to pay a ransom, according to Mandiant, which explains the threat actor's goal to move rapidly and target targets who are willing to accept for minimum negotiation in order recover vital systems. As a result, it's possible that they're focusing more on healthcare networks.