An “aggressive” financially motivated threat actor has been identified as linked to a string of RYUK ransomware attacks since October 2018, while maintaining close partnerships with TrickBot-affiliated threat actors and using a publicly available arsenal of tools such as Cobalt Strike Beacon payloads to interact with victim networks.
Cybersecurity firm Mandiant attributed the intrusions to a Russian-speaking hacker group codenamed FIN12, and previously tracked as UNC1878, with a disproportionate focus on healthcare organizations with more than $300 million in revenue, among others, including education, financial, manufacturing, and technology sectors, located in North America, Europe, and the Asia Pacific.
“FIN12 relies on partners to obtain initial access to victim environments,” Mandiant researchers said. “Notably, instead of conducting multifaceted extortion, a tactic widely adopted by other ransomware threat actors, FIN12 appears to prioritize speed and higher revenue victims.”
The use of initial access brokers to facilitate ransomware deployments isn’t new. In June 2021, findings from enterprise security company Proofpoint revealed that ransomware actors are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major entities, with Ryuk infections mainly leveraging accesses obtained via malware families like TrickBot and BazaLoader.
FIN12’s targeting of the healthcare sector suggests that its initial access brokers “cast a wider net and allow FIN12 actors to choose from a list of victims after accesses are already obtained.”
Mandiant also noted that it observed, in May 2021, threat actors obtaining a foothold in the network through phishing email campaigns distributed internally from compromised user accounts, before leading to the deployment of Cobalt Strike Beacon and WEIRDLOOP payloads. Attacks mounted between mid-February and mid-April of 2021 are said to also have taken advantage of remote logins by getting hold of credentials to victims’ Citrix environments.
Although FIN12’s tactics in late 2019 involved using TrickBot as a means to maintain a foothold in the network and carry out latter-stage tasks, including reconnaissance, delivering malware droppers, and deploying the ransomware, the group has since consistently banked on Cobalt Strike Beacon payloads for performing post-exploitation activities.
FIN12 also distinguishes itself from other intrusion threat actors in that it doesn’t engage in data theft extortion — a tactic that’s used to leak exfiltrated data when victims refuse to pay up — which Mandiant says stems from the threat actor’s desire to move quickly and strike targets that are willing to settle with minimal negotiation.
“The average time to ransom (TTR) across our FIN12 engagements involving data theft was 12.4 days (12 days, 9 hours, 44 minutes) compared to 2.48 days (2 days, 11 hours, 37 minutes) where data theft was not observed,” the researchers said. “FIN12’s apparent success without the need to incorporate additional extortion methods likely reinforces this notion.”
“[FIN12 is the] first FIN actor that we are promoting who specializes in a specific phase of the attack lifecycle — ransomware deployment — while relying on other threat actors for gaining initial access to victims,” Mandiant noted. “This specialization reflects the current ransomware ecosystem, which is comprised of various loosely affiliated actors partnering together, but not exclusively with one another.”