A detailed report about FIN12, a financially motivated threat actor known for its ransomware activities, was recently released. The suspected partner of the TrickBot gang has been active since October 2018 and focuses on high-value targets.
The report findings
The report by Mandiant Intelligence activity sheds light on attack tactics and how the actor selects its target.
- FIN12 mostly deploys Ryuk ransomware for data theft attacks with healthcare as its favorite target sector, as observed especially during the pandemic.
- Around 20% of its victims are in healthcare. Other targeted sectors include finance, education, manufacturing, and IT.
- It targets large organizations that have annual revenues over $300 million, with an average of almost $6 billion.
- The report indicated that, since September 2020, around 20% of the incident response engagements were related to FIN12 intrusions.
- In a one-off, FIN12 was also spotted dropping Conti ransomware in one of the attacks where it extorted twice from the victim for stolen 90GB of data.
The shift in targeted regions
- In the last two years, most of FIN12’s victims were based in North America (71% in the U.S. and 12% in Canada).
- This year, the group has expanded its scope by targeting companies in Australia, Indonesia, Colombia, France, Ireland, the Philippines, Spain, South Korea, the UAE, and the U.K.
More insights
- The report found that the average time FIN12 spends on the victim network is reducing each year. It was five days in Q1 2020 and was reduced to three days during the first half of 2021.
- For initial access, the group relied mostly on its partners such as TrickBot/BazarLoader. However, FIN12 used other initial access vectors, such as backdoors, droppers, and code signing certificates.
Conclusion
FIN12 is believed to further evolve and expand its operations including data theft and extortion, according to experts. Moreover, the group is regularly improving its tactics, techniques, and procedures. Therefore, experts recommend a multi-layer security architecture to thwart such threats at the early stages.
Source: https://cyware.com/news/trickbots-fin12-is-claiming-victims-at-higher-rate-438ed65c
