REPORT

FIN12 GROUP PROFILE: FIN12 PRIORITIZES SPEED TO DEPLOY RANSOMWARE AGAINST HIGH-VALUE TARGETS

Nov 13, 2023
1 min read
  • FIN12 is a financially motivated threat group, active since at least October 2018, that specializes in the post-compromise deployment of primarily RYUK ransomware. Instead of conducting multifaceted extortion, FIN12 appears to prioritize speed and higher revenue victims.
  • Since initially emerging, FIN12 has maintained close partnership with TRICKBOTaffiliated threat actors. However, FIN12 has seemingly diversified its partnerships for initial access operations, particularly in 2021.
  • FIN12 relies heavily on publicly available tools and malware to enable their operations. In nearly every single FIN12 intrusion since February 2020, FIN12 has used Cobalt Strike BEACON, but historically we have observed these threat actors also use EMPIRE and TRICKBOT as a post-exploitation tool.
  • The majority of observed FIN12 victims have been based in North America, but their regional targeting has been expanding in 2021 throughout other regions, including Europe and Asia Pacific. We have observed FIN12 victims in nearly every industry, but notably 20 percent of these organizations have been based in the healthcare sector.
  • The Appendices contain YARA signatures associated with recently used in-memory droppers and C2concealer as well as the relevant MITRE ATT&CK mappings.
Download Now

Have questions? Let's talk.

Mandiant experts are ready to answer your questions.

Contact Us