As if the healthcare industry needed more bad news about ransomware, new reports on the FIN12 ransomware gang say that the group prefers quick malware deployment against sensitive, high-value targets—making healthcare organizations prime targets.
According to an Oct. 7 article from ZDNet by Charlie Osborne for Zero Day, FIN12 is a big game hunting ransomware group of which one in five of the group's victims is within the healthcare sector.
Osborne writes that “On Thursday, Mandiant [a cybersecurity firm headquartered in Alexandria, Va.] said that FIN12—upgraded from UNC1878 by the cybersecurity firm—is a financially driven group that targets organizations with average annual revenue of over $6 billion. Almost all of the threat group's victims generate a revenue of at least $300 million.”
“‘This number could be inflated by a few extreme outliers and collection bias; however, FIN12 generally appears to target larger organizations than the average ransomware affiliate,’ the researchers say,” Osborne writes.
In her article, Osborne says that “the cybercriminals seem to have no moral compass,” as 20 percent of its victims belong to the healthcare sector. Many ransomware-as-a-service (RaaS) outfits do not allow hospitals to be targeted, but as a result, Mandiant says that it may be cheaper for FIN12 to buy initial access due to low demand elsewhere,” she reports.
Zach Riddle, senior analyst at Mandiant was quoted in Osborne’s article saying that "We do not believe that others refusing to target healthcare has a direct correlation to FIN12's willingness to target this industry. FIN12 may perceive that there is a higher willingness for hospitals to quickly pay ransoms to recover critical systems rather than spend weeks negotiating with actors and/or remediating the issue. Ultimately, the criticality of the services they provide not only likely results in a higher chance that FIN12 will receive a payment from the victim, but also a quicker payment process."
Osborne adds that “FIN12 is closely linked to Trickbot, a botnet operation that offers cybercriminals modular options including means of exploit and persistence. Despite having its infrastructure disrupted by Microsoft, the threat actors have recently returned with campaigns against legal and insurance companies in North America.”
Further, “The group's main goal is to deploy Ryuk ransomware. Ryuk is a prolific and dangerous variant of malware, containing not only the typical functions of ransomware—the ability to encrypt systems to allow operators to demand payment in return for a decryption key—but also new worm-like capabilities to spread and infect additional systems.”
FIN12, in some cases, has managed a successful ransomware campaign in two and a half days. The group’s average time-to-ransom is just under four days and is increasing at time goes on.
On Oct. 7, Mandiant published a full report on the historical and ongoing activity attributed to FIN12 and their use of partners to enable their operations, entitled “FIN12 Group Profile: FIN12 Prioritizes Speed to Deploy Ransomware Against High-Value Targets.”
According to the blog announcing the release for the report, the firm observed FIN12 activity at healthcare organizations before and after the joint alert by multiple U.S. government entities in October 2020. “This targeting pattern deviates from some other ransomware threat actors who had at least stated an intention to show restraint in targeting hospitals, especially throughout the COVID-19 pandemic,” the blog says. “FIN12’s remaining victims have operated in a broad range of sectors, including but not limited to business services, education, finance, government, manufacturing, retail, and technology.”
According to an Oct. 7 article from BleepingComputer by Ionut Ilascu, FIN12 is believed [by Mandiant] to be a Russian-speaking group of individuals that may be located in the Commonwealth of Independent States (CIS) region.
Ilascu writes that “The gang is likely to further evolve and expand their operations to include data theft as a more common stage of an attack as they start collaborating with a more diverse assortment of cybercriminals (e.g., ransomware operations with a leak site).”
At the end of September, the first credible public claim that a death was caused, at least in part, by ransomware was reported. Additionally, hospitals and health systems in the U.S. are underprepared for intensifying cyberattacks, according to CynergisTek’s fourth annual report that found that 64 percent of organizations were below an 80-percent level of preparedness. With the COVID-19 pandemic continuing to overwhelm hospital systems across the country, ransomware attacks do not seem to be slowing down, putting revenue, brand reputation—and most of all—patient safety at risk.