Security News > 2021 > October > Ransomware Group FIN12 Aggressively Going After Healthcare Targets
An "Aggressive" financially motivated threat actor has been identified as linked to a string of RYUK ransomware attacks since October 2018, while maintaining close partnerships with TrickBot-affiliated threat actors and using a publicly available arsenal of tools such as Cobalt Strike Beacon payloads to interact with victim networks.
Cybersecurity firm Mandiant attributed the intrusions to a Russian-speaking hacker group codenamed FIN12, and previously tracked as UNC1878, with a disproportionate focus on healthcare organizations with more than $300 million in revenue, among others, including education, financial, manufacturing, and technology sectors, located in North America, Europe, and the Asia Pacific.
"Notably, instead of conducting multifaceted extortion, a tactic widely adopted by other ransomware threat actors, FIN12 appears to prioritize speed and higher revenue victims."
FIN12's targeting of the healthcare sector suggests that its initial access brokers "Cast a wider net and allow FIN12 actors to choose from a list of victims after accesses are already obtained."
FIN12 also distinguishes itself from other intrusion threat actors in that it doesn't engage in data theft extortion - a tactic that's used to leak exfiltrated data when victims refuse to pay up - which Mandiant says stems from the threat actor's desire to move quickly and strike targets that are willing to settle with minimal negotiation.
" first FIN actor that we are promoting who specializes in a specific phase of the attack lifecycle - ransomware deployment - while relying on other threat actors for gaining initial access to victims," Mandiant noted.