Blog

FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets

Joshua Shilko, Zach Riddle, Jennifer Brooks, Genevieve Stark, Adam Brunner, Kimberly Goody, Jeremy Kennelly
Oct 07, 2021
9 min read
|   Last updated: Jan 08, 2024
Financial Threat Groups (FIN Groups)
Ransomware
Threat Intelligence

Today, Mandiant Intelligence is releasing a comprehensive report detailing FIN12, an aggressive, financially motivated threat actor behind prolific ransomware attacks since at least October 2018. FIN12 is unique among many tracked ransomware-focused actors today because they do not typically engage in multi-faceted extortion and have disproportionately impacted the healthcare sector. They are also the first FIN actor that we are promoting who specializes in a specific phase of the attack lifecycle—ransomware deployment—while relying on other threat actors for gaining initial access to victims. This specialization reflects the current ransomware ecosystem, which is comprised of various loosely affiliated actors partnering together, but not exclusively with one another.

The full published report covers historical and ongoing activity attributed to FIN12, their use of partners to enable their operations, including initial access providers, the evolution of the group’s tactics, techniques, and procedures, and trends in their extensive use of Cobalt Strike BEACON.

The Mandiant Security Validation (Validation) Behavior Research Team (BRT) has created VHR20210922 – FIN12, which is accessible on the Content page of the Validation Customer Portal.

We are also releasing the following reports referenced in the report to Mandiant Advantage Free.

FIN12 badge
Figure 1: FIN12 badge

FIN12 Victims

FIN12’s operations provide illustration that no target is off limits when it comes to ransomware attacks, including those that provide critical care functions. Almost 20 percent of directly observed FIN12 victims were in the healthcare industry and many of these organizations operate medical facilities. We observed FIN12 activity at healthcare organizations both before and after the joint alert by multiple U.S. government entities in October 2020 that warned of an “increased and imminent” threat to hospitals and medical facilities. This targeting pattern deviates from some other ransomware threat actors who had at least stated an intention to show restraint in targeting hospitals, especially throughout the COVID-19 pandemic. FIN12’s remaining victims have operated in a broad range of sectors, including but not limited to business services, education, finance, government, manufacturing, retail, and technology.

While these victim organizations have been overwhelmingly located in North America, there is some evidence that FIN12's regional targeting is expanding. Nearly 85 percent of the group’s known victims have been based in North America, however, we observed twice as many victim organizations based outside of North America in the first half of 2021 than we observed in 2019 and 2020 combined. Collectively, these organizations have been based in Australia, Colombia, France, Indonesia, Ireland, the Philippines, South Korea, Spain, the United Arab Emirates, and the United Kingdom. This shift could be due to various factors such as FIN12 working with more diverse partners to obtain initial access and increasingly elevated and unwanted attention from the U.S. government.

We believe that the most significant factor in FIN12’s targeting calculus has been a victim’s annual revenue. The vast majority of known FIN12 victims have more than $300 million USD in revenue, based on corporate financial data compiled from ZoomInfo. While this data is skewed to our direct visibility, FIN12 does appear to consistently target larger companies in comparison to the average ransomware affiliate. Targeting victims that meet a certain revenue threshold also aligns with underground forum activity; some threat actors, including those using RYUK, have specified different ranges of minimum requirements for potential victims’ annual revenue. Further, comments detailing revenue information in malware administration panels operated by FIN12’s initial access providers illustrate that this is a relevant factor for victim selection or at minimum for prioritization of available targets. FIN12’s selection of high-value targets is consistent with the broader trend of threat actors pursuing larger targets in recent years, almost certainly because of the perception that it justifies proportionally large ransom demands.

Parasites And Symbiotes

From the beginning of their operations and until March 2020, we observed FIN12 exclusively leverage TRICKBOT accesses as a launching point for their ransomware attacks. However, after returning from a nearly four-month hiatus in August 2020, the initial access vectors leveraged by FIN12 became increasingly diversified. In at least some cases, these variations may reflect the use of distinct initial access providers. For example, beginning in early 2021, we directly observed several cases where the first evidence of FIN12 activity was a login to a victim’s Citrix environment. This activity is also consistent with our identification of multiple Russian-speaking actors operating in underground communities seeking partners who could provide Citrix accesses for RYUK ransomware operations. Although we currently lack sufficient evidence to attribute these actors to FIN12, these solicitations nonetheless further support the likelihood that FIN12 has not relied on a single initial access provider to enable their operations. This division of labor is not uncommon and reflects the professionalism and specialization of the cybercrime ecosystem overall.

In many incidents, where the initial intrusion vector was identified, FIN12 activity was observed on the same day as the initial access campaign suggesting that FIN12 maintains a close relationship with at least some threat actors providing them access. Most notably, FIN12 maintains a close relationship with TRICKBOT and BAZARLOADER affiliated actors. Beyond leveraging accesses obtained via these families, FIN12 has used overlapping toolsets and services including backdoors, droppers, and codesigning certificates. Despite these similarities, we track FIN12 as a distinct threat actor given their specific role in the deployment of ransomware, their ability to work independently of these families, and our observations of other distinct threat actors who also deploy ransomware using accesses obtained via these malware ecosystems.

Directly observed initial accesses leveraged by FIN12
Figure 2: Directly observed initial accesses leveraged by FIN12

Prioritizing Speed

FIN12's reliance on other threat actors to obtain initial access to organizations and their specific focus on ransomware deployment has paid dividends in terms of their time-to-ransom (TTR). We calculate the TTR as the amount of time from when they first access an environment to when they begin to deploy ransomware. In the first half of 2021, as compared to 2020, FIN12 significantly improved their TTR, cutting it in half to just 2.5 days. These efficiency gains are enabled by their specialization in a single phase of the attack lifecycle, which allows threat actors to develop expertise more quickly. FIN12 also stands out in the pack of ransomware operators today because they do not usually engage in multifaceted extortion—a tactic that has become commonplace in today’s threat landscape. The most significant factor in FIN12's decision to refrain from stealing victim data and publicly shaming victims may be the impact it has on the speed of their operations. The average TTR across our FIN12 engagements involving data theft was just under 12.5 days compared to 2.5 days where data theft was not observed. Each additional day FIN12 spends in an environment before completing their objective increases their risk being detected. FIN12's apparent success without the need to incorporate additional extortion methods likely suggests the notion that they to not believe spending additional time to steal data is worth the risk of having their plans to deploy ransomware thwarted.

FIN12’s Time-to-Ransom (TTR)
Figure 3: FIN12’s Time-to-Ransom (TTR)

Implications

While threat actors running ransomware-as-a-service (RaaS) outfits have an important role in multifaceted extortion attacks, the focus on the branding and communication components of these services can detract from other important players. Intrusion actors, such as FIN12, may arguably play a more pivotal role in these operations, yet have received marginal attention. These actors are the ones navigating victim networks and deploying the ransomware itself, and in at least some cases, may have direct input into the target selection. The skillset required for this role may be comparatively less developed within the cyber-criminal underground, which has historically put a heavy emphasis on malware development, distribution, and the management of cash-out operations. We also constantly observe solicitations from threat actors looking to recruit individuals to join intrusion teams, sometimes even trying to hire individuals under false pretenses, facts that may be reflective of a talent shortage in this area. Notably, intrusion groups do not typically have an allegiance to any particular RaaS brand and have exhibited that they can easily switch between or use multiple brands concurrently. The shifting nature of these allegiances is a key reason for why intrusion operators such as FIN12 are important for security teams and organizations to understand and track rather than maintaining an exclusive focus on the brands and ransomware families these operators choose to distribute at a given moment.

Download FIN12 report today.

Acknowledgements

A small army contributed to the research, malware analysis, data analysis, writing and review of this report, and without them this could never have seen the light of day. We also owe an extreme debt of gratitude to the many thousands of hours of hard work put in by our incident responders, Managed Defense analysts, Advanced Practices teams, and underground researchers who collected and normalized much of the data that formed the basis for our analysis.Every report published by Mandiant is a massive team effort and we are grateful for the opportunity to work with a world class group of professionals in all their different areas of practice. Unfortunately, for the sake of brevity, we cannot list the name of every person who contributed to this work but we would like to specifically call out the efforts of a few individuals and teams.

The following people and teams provided critical analysis support to the team working on this report: 

  • Jordan Nuce 
  • Ioana Teaca 
  • Van Ta 
  • Aaron Stephens 
  • Bryce Abdo 
  • Sandor Nemes 
  • Jessa Valdez 
  • Thomas Pullen 
  • Moritz Raabe 
  • Amsterdam and Ukraine research offices 

Finally, extra special thanks to Ana Foreman for putting together the graphics that went into this reporting, and her infinite patience with our many edits.

Mandiant Security Validation Actions

Organizations can validate their security controls using the following Actions with Mandiant Security Validation.

Network Actions

VIDTitle
A100-040Malicious File Transfer - RYUK, Download, Variant #2
A100-042Malicious File Transfer - RYUK, Download, Variant #3
A100-044Malicious File Transfer - RYUK, Download, Variant #4
A100-071Malicious File Transfer - RUBEUS Tool, Download
A100-072Malicious File Transfer - SYSTEMBC, Download
A101-850Command and Control - GRIMAGENT, C2 Traffic, Variant #2
A101-851Command and Control - GRIMAGENT, C2 Traffic, Variant #1
A101-852Malicious File Transfer - GRIMAGENT, Download, Variant #1
A101-853Command and Control - GRIMAGENT, C2 Traffic, Variant #4
A101-854Command and Control - GRIMAGENT, C2 Traffic, Variant #3
A101-855Malicious File Transfer - GRIMAGENT, Download, Variant #3
A101-856Malicious File Transfer - GRIMAGENT, Download, Variant #2
A101-858Malicious File Transfer - WEIRDLOOP, Download, Variant #2
A101-859Malicious File Transfer - WEIRDLOOP, Download, Variant #1
A101-862Malicious File Transfer - MALTSHAKE, Download, Variant #2
A101-863Malicious File Transfer - MALTSHAKE, Download, Variant #1
A101-864Malicious File Transfer - ICECANDLE, Download, Variant #3
A101-865Malicious File Transfer - ICECANDLE, Download, Variant #2
A101-882Malicious File Transfer - FIN12, Get-DataInfo.ps1, Download
A101-886Malicious File Transfer - KERBRUTE, Download, Variant #2
A101-909Lateral Movement - FIN12, RYUK, Execution with PsExec
A101-910Lateral Movement - FIN12, RYUK, Transfer with PsExec
A101-911Phishing Email - Malicious Attachment, FIN12, WEIRDLOOP
A101-912Malicious File Transfer - FIN12, ADFIND Batch Script
A101-920Phishing Email - Malicious Attachment, FIN12, BAZARLOADER
A101-921Malicious File Transfer - BAZARBACKDOOR, Download
A101-922Command and Control - FIN12, BEACON, Check-In
A101-923Command and Control - FIN12, DNS Query, Variant #1
A101-924Command and Control - FIN12, DNS Query, Variant #2
A101-925Command and Control - FIN12, DNS Query, Variant #3
A101-926Command and Control - FIN12, DNS Query, Variant #4
A101-927Command and Control - FIN12, DNS Query, Variant #5

Endpoint Actions

VIDTitle
A104-003Host CLI - RYUK, FIN12, Active Directory Reconnaissance
A104-004Host CLI - Scheduled Task Called by Run Key, Default Privileges
A104-007Host CLI - Scheduled Task Called by Run Key, Highest Privileges
A104-012Protected Theater - RYUK Actor Modify File Permissions
A104-710Protected Theater - RYUK Actor, Kill Services and Processes
A104-831Protected Theater - GRIMAGENT, Schtask and Registry for Persistence
A104-842Protected Theater - FIN12, RYUK, Download and Execution via BITSAdmin
A104-856Host CLI - FIN12, Active Directory Reconnaissance