A new ransomware group called FIN12 has been found to be aggressively targeting healthcare facilities globally, according to a report by cybersecurity software-as-a-service solutions provider Mandiant.
Mandiant added that 20% of all ransomware intrusions it has detected over the past year has been linked to FIN12. The group has been in operations since 2018.
Unlike traditional ransomware, FIN12 does not aim at stealing data and later using the same for extortion, but rather prioritises quick attacks in its operations.
It’s average time to ransom is about 2.5 days, roughly twice as fast as other ransomware groups. This is concerning for enterprises globally as the threat actors seem to be evolving not only into larger teams, but also getting more efficient in operations.
“They are behind several attacks on the healthcare system and they focus heavily on high-revenue victims. Nothing is sacred with these actors – they will go after hospitals/healthcare facilities, utilities, critical infrastructure,” said Kimberly Goody, Director of Financial Crime Analysis at Mandian.
Here’s what our APAC executives at Mandiant have to say on the group’s more recent actions:
The researchers said that FIN12 mainly operates through the deployment of the RYUK ransomware and targets high revenue organisations with speed. They also seem to have a new model for demanding ransomware, as a percentage of the company’s overall revenues.
“While most of FIN12’s victims are in North America, FIN12 has victimised organisations in Asia Pacific countries including Australia, Indonesia, the Philippines, and South Korea,” said Steve Ledzian, VP, CTO-APAC, Mandiant.
However, 80% of Fin12’s victims have been based in North America, with Mandiant saying that victims outside of North America in the first half of 2021 were twice as more as compared to 2019 and 2020.
Researches said that there seems to be a pattern of targeting countries which have a nationalised healthcare system, as they provide services to a higher populous.