Today, Mandiant announced it upgraded a financially motivated threat actor to “FIN12.” FIN12 has deliberately and aggressively targeted healthcare facilities with ransomware throughout the pandemic and has accounted for nearly 20% of all ransomware intrusions Mandiant has responded to in the last year. Unlike other ransomware operations seen today, FIN12 does not focus on stealing data to use for extortion and instead prioritizes speed in their operations. As a result, their average time-to-ransom is around 2.5 days which is roughly twice as fast as other ransomware gangs. This highlights a growing concern that threat actors are improving not just in terms of volume due to larger teams, but also the efficiency of their operations.
Kimberly Goody, Director of Financial Crime Analysis said “FIN12 is one of the most aggressive ransomware threat actors tracked by Mandiant. Unlike other actors who are branching out into other forms of extortion, this group remains focused purely on ransomware, moving faster than its peers and hitting big targets. They are behind several attacks on the healthcare system and they focus heavily on high-revenue victims. Nothing is sacred with these actors – they will go after hospitals/healthcare facilities, utilities, critical infrastructure, etc. This illustrates that they choose not to abide by the norms.”
“By combining together the clues of years of observations across many incident response engagements Mandiant Intelligence teams were able to piece together that a large set of clusters of activity all have a common threat actor behind them. Mandiant has given a new designation to this financially motivated threat actor as FIN12. An attack from FIN12 most commonly results in the deployment of RYUK ransomware, typically attacking high revenue organizations, and typically executed with alarming speed. While most of FIN12’s victims are in North America, FIN12 has victimized organizations in Asia Pacific countries including Australia, Indonesia, the Philippines, and South Korea. As the U.S. government further prioritizes addressing the ransomware threat across a variety of means including sanctions, FIN12 and other ransomware groups may accelerate shifting targeting focus to other regions including Asia Pacific.” – Steve Ledzian, VP, CTO-APAC, Mandiant
“Various RaaS threat actors, including those using RYUK, have specified minimum requirements for victim’s annual revenues. FIN12 generally appears to target larger organizations than the average ransomware affiliate. It is plausible that these organizations with higher revenues were chosen because of the perception that it justifies larger ransom demands. Historical observations showed that actors seem to calculate ransom demand as a percentage of annual revenue.”
Organizations targeted in Asia Pacific by FIN12 have an average annual revenue of $14.5 billion (USD), much higher than targets in Europe ($7.4 billion) and North America($5.7 billion). While the higher annual revenue in APAC targets could be a case of collection bias and extreme outliers, from the threat actor perspective, it is clear that organizations in APAC can ‘afford to pay’. Given the increased pressure by the US government to sanction and hunt down ransomware groups, it could lead to a shift in focus to APAC region where regulations are still premature and less coherent.” – Yihao Lim, Mandiant Intelligence Advisor (APAC)
While more than 80% of FIN12’s victims have been based in North America, in the first half of 2021, Mandiant observed more than twice as many victims outside of North America in the first half of 2021 than in 2019 and 2020 combined; with many of these new victims based in Europe and Asia Pacific. Since many of the countries in those regions have a nationalized healthcare system, they may be at increased risk of impact by FIN12, as these networks provide healthcare services for a higher proportion of these countries’ citizens than any private healthcare businesses in North America.
