Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service
FIN12 Ransomware Attacks Aggressively Targeting HealthcareMandiant Report Says Threat Actors Deploy Ryuk, Leverage Initial Access Brokers
An aggressive, financially motivated Russian-speaking threat actor group that deploys the Ryuk variant ransomware, leverages Trickbot initial access brokers, and generally skips double-extortion attempts in favor of fast and higher payout ransoms has been predominately targeting the healthcare sector, warns a report from security firm Mandiant.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Dubbed FIN12, the threat actor group has been behind "prolific ransomware attacks" dating to at least October 2018, Mandiant says.
"FIN12’s operations provide illustration that no target is off limits when it comes to ransomware attacks, including those that provide critical care functions," the report says.
Nearly 20% of FIN12 victims directly observed by Mandiant have been in the healthcare industry. That includes FIN12 attacks at healthcare organizations both before and after a joint alert was issued in October 2020 by multiple U.S. government entities - including CISA, the FBI and the Department of Health and Human Services - warning of “increased and imminent” threats to hospitals and medical facilities involving Ryuk, Mandiant notes (see: U.S. Hospitals Warned of Fresh Wave of Ransomware Attacks).
"This targeting pattern deviates from some other ransomware threat actors who had at least stated an intention to show restraint in targeting hospitals, especially throughout the COVID-19 pandemic," Mandiant notes.
For instance, recent alerts by HHS to the healthcare sector about threats involving ransomware groups LockBit 2.0 and BlackMatter, noted that contrary to evidence of such attacks, the groups claim not to target hospitals and other healthcare entities.
Healthcare facilities are still a top target of ransomware attacks since they provide lifesaving services to their patients, "which means they can't afford to have their facilities go offline due a cyberattack - and may be more amendable to pay a ransom faster and quicker to ensure the safety of human life," says retired supervisory FBI agent Jason G. Weiss, an attorney at law firm Faegre Drinker Biddle & Reath LLP.
"These attacks by FIN12, as well as other ransomware gangs and now the new gangs 'renting out' other gangs’ ransomware, will continue to happen as long as they are successful and there is money to be made. Period," he says.
Brett Callow, a threat analyst at security firm Emsisoft offers a similar assessment.
"Ransomware operators are nothing if not predictable," he says. "If a particular tactic works well for them or a particular sector proves to be especially profitable, it’ll be a case of 'rinse and repeat.' Why mess with a winning formula?"
Whether a business enterprise is legitimate or criminal, "they focus on the strategies that they’ve found to work well and in the case of FIN12, that seems to include attacking the healthcare sector," he adds.
FIN12’s other victims have been in a range of sectors, including business services, education, finance, government, manufacturing, retail and technology, Mandiant says.
"The majority of observed FIN12 victims have been based in North America, but their regional targeting has been expanding in 2021 throughout other regions, including Europe and Asia-Pacific," Mandiant notes.
"We have also seen an explosion of ransomware attacks against entities outside of healthcare, such as government websites, schools, universities and even local municipalities."
—Jason G. Weiss, Faegre Drinker Biddle & Reath LLP
Mandiant says it suspect that FIN12 is likely comprised of Russian-speaking actors who may be located in countries in the Commonwealth of Independent States, which are former members of the Soviet Union. "FIN12 has not targeted CIS-based organizations and identified partners, and all currently identified Ryuk users have spoken Russian," the firm says.
In nearly every FIN12 intrusion since February 2020, FIN12 has used Cobalt Strike Beacon payloads to interact with victim networks, progressing through their attacks from internal reconnaissance to ransomware deployment, Mandiant says.
Previously, however, FIN12 used a broader toolset to serve the same functions, including the PowerShell-based Empire framework and, in their earliest intrusions, using the Trickbot banking Trojan as a post-exploitation framework alongside Empire, the report says.
FIN12 relies on partners to obtain initial access to victim environments, the report says. "Notably, instead of conducting multifaceted extortion, a tactic widely used by other ransomware threat actors, FIN12 appears to prioritize speed and higher revenue victims," the report says.
"The lack of large-scale data exfiltration in FIN12 incidents has almost certainly contributed to their high cadence of operations, with FIN12 intrusions making up nearly 20% of our ransomware incident response engagements since September 2020."
Mandiant says it analyzed a limited set of Bitcoin wallet transactions that were associated with payments made by FIN12 victims.
"We assess with high confidence that victim payments are split among various threat actors, which is consistent with our belief that FIN12 leverages initial access providers, and likely other partners, to complete all aspects of the attack life cycle."
Victims' annual revenues are typically greater than $300 million, Mandiant notes. "We believe that FIN12's partners cast a wider net and allow FIN12 actors to choose from a list of victims after accesses are already obtained"
FIN12 appears to have a close working relationship with actors associated with the development of Trickbot Trojan malware and related families, which include Bazarloader, Bazarbackdoor and Anchor, Mandiant says.
"In some cases, it appears that these relationships may lead to resource sharing including the use of malware that is atypical for FIN12 intrusions," Mandiant says.
"Beyond leveraging accesses obtained via these families both FIN12 and Trickbot-adjacent activity commonly use overlapping toolsets and services including backdoors, droppers, and code-signing certificates."
Despite these overlaps, Mandiant tracks FIN12 "as a distinct threat actor given the specific role in the deployment of ransomware and their demonstrated ability to work independently."
Other Attack Trends
Marcus Guidry, senior cyberthreat intelligence analyst at security firm Pondurance, notes that FIN12 is using many of the same tools that other ransomware groups have used to launch their attacks. For instance, "the use of Cobalt Strike to move laterally across compromised networks is very well known," he says.
"Unfortunately, the trends in ransomware attacks on the healthcare sector have only continued to increase since the COVID-19 pandemic," he says.
Guidry says that so far this year, he's aware of nearly 90 ransomware attacks globally on healthcare, and the majority of them were in the U.S.
"Other ransomware groups like Conti, Revil, and PYSA have also targeted healthcare in the same manner," he says.
Weiss says ransomware-as-a-service is a dangerous trend in the ransomware wars, and is likely to cause an increase in the frequency and number of ransomware attacks.
"We have also seen an explosion of ransomware attacks against entities outside of healthcare, such as government websites, schools, universities and even local municipalities," he says.
"In short, the ransomware wars are entering a new and dangerous expansion that will only continue so long as these cyberthreat actors continue to make significant ransoms."
Defending Against Attacks
The main challenge for many healthcare organizations is a lack of resources available to adequately defend against ransomware attacks, Guidry notes.
"The best way to stop ransomware groups from attacking your environment is to implement a layered, defensive approach," he says. Patching critical apps like Citrix and Exchange with the latest security patches is a must."
Another important step for organizations is to immediately isolate and rebuild any machines on their networks where malware that is a precursor for ransomware - such as Trickbot, BazarLoader, Qbot or IcedID - has been detected, he says.