Heimdal
article featured image

Contents:

It is a well-known fact that the majority of ransomware actors are spending time on the victim network looking for important data to steal.

FIN12 does not follow this course of action as they mostly go with quick malware deployment against sensitive, high-value targets.

FIN12 Ransomware

FIN12 has been a prolific threat actor with a strong focus on making money who has carried out ransomware attacks since at least October 2018.

As explained by BleepingComputer, the gang collaborates closely with the TrickBot gang and preys on high-value victims (above $300 million) in a range of sectors and locations throughout the world.

FIN12 is different from other ransomware gangs because it skips the data exfiltration step, which is used by other ransomware gangs to increase their chances of getting paid.

This feature allows the gang to carry out attacks faster than past ransomware groups, taking less than two days from the first infiltration to file encryption.

FIN12 M.O.

It seems that most ransomware gangs that also steal data have a median stay duration on the victim’s network of five days, with an average value of 12.4 days.

With FIN12, the average time spent on the victim network decreased year after year, eventually reaching less than three days in the first half of 2021.

After gaining initial access, the gang wasted little time in attacking their victims, and in most cases, they started a same-day action.

FIN12 is renowned for preferring to employ Ryuk ransomware, however, the gang also used Conti, Ryuk’s successor.

FIN12 allegedly exfiltrated around 90GB of data to several cloud storage providers throughout the assault and extorted the victim twice to keep the material out of public view.

Conti ransomware, which shares code with Ryuk, first surfaced in sporadic occurrences towards the end of 2019. Conti activity increased in July 2020 while Ryuk ransomware assaults became less common.

According to the researchers, FIN12 was also involved in previous ransomware instances that involved data theft utilizing Ryuk. In other situations, the information has been exfiltrated to the attacker’s devices but was not used for extortion.

The cybersecurity company Mandiant notes that many FIN12 victims are in the healthcare sector.

It is interesting to note that FIN12 did not breach the networks by themselves as they obtained initial access from their partners, via TrickBot and BazarLoader in particular.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE