A financially motivated threat actor has been identified as linked to a string of RYUK ransomware attack, while maintaining close partnerships with TrickBot-affiliated threat actors and using a publicly available arsenal of tools such as Cobalt Strike Beacon payloads to interact with victim networks.

A Russian-speaking hacker group codenamed FIN12, and previously tracked as UNC1878, with a disproportionate focus on healthcare organizations with more than $300 million in revenue, among others, including education, financial, manufacturing, and technology sectors, located in North America, Europe, and the Asia Pacific.

Ransomware actors are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major entities, with Ryuk infections mainly leveraging accesses obtained via malware families like TrickBot and BazaLoader.

FIN12’s targeting of the healthcare sector suggests that its initial access brokers cast a wider net and allow FIN12 actors to choose from a list of victims after accesses are already obtained.

Threat actors obtaining a foothold in the network through phishing email campaigns distributed internally from compromised user accounts, before leading to the deployment of Cobalt Strike Beacon and WEIRDLOOP payloads. Attacks mounted between mid-February and mid-April of 2021 are said to also have taken advantage of remote logins by getting hold of credentials to victims’ Citrix environments.

FIN12’s tactics in late 2019 involved using Trickbot as a means to maintain a foothold in the network and carry out latter-stage tasks, including reconnaissance, delivering malware droppers, and deploying the ransomware, the group has since consistently banked on Cobalt Strike Beacon payloads for performing post-exploitation activities.

FIN12 also distinguishes itself from other intrusion threat actors in that it doesn’t engage in data theft extortion a tactic that’s used to leak exfiltrated data when victims refuse to pay up which Mandiant says stems from the threat actor’s desire to move quickly and strike targets that are willing to settle with minimal negotiation.

The average time to ransom (TTR) across our FIN12 engagements involving data theft was 12.4 days (12 days, 9 hours, 44 minutes) compared to 2.48 days (2 days, 11 hours, 37 minutes) where data theft was not observed.

FIN12 is the first FIN actor that we are promoting who specializes in a specific phase of the attack lifecycle ransomware deployment while relying on other threat actors for gaining initial access to victims.This specialization reflects the current ransomware ecosystem, which is comprised of various loosely affiliated actors partnering together, but not exclusively with one another.