The operations and tools of FIN12, a highly aggressive ransomware gang that has likely made a large amount of money in recent years, are detailed in a report issued by Mandiant on Thursday.
The threat group, previously known as UNC1878 by Mandiant, has been active since at least October 2018. Before a cybersecurity firm can identify whether an entity is a financially motivated group (FIN) or a state-sponsored advanced persistent threat actor, it is given the UNC categorization (APT).
In most of its attacks, FIN12 has employed the Ryuk ransomware and has relied on other cybercrime groups for early access into victims’ settings. They largely relied on access obtained by operators of the Trickbot virus until March 2020, but after that they began to use additional malware, as well as remote Citrix and RDP logins using credentials obtained from underground forums.
Unlike other ransomware groups, FIN12 rarely spends time acquiring valuable data from victims’ environments before encrypting their data and demanding a ransom. Instead, they appear to favour speed, spending less than three days on average on the victim’s network before encrypting files and announcing their existence with a ransom demand, according to researchers.
Furthermore, they appear to solely target businesses with revenues of at least $300 million – the average annual revenue of FIN12 victims identified by Mandiat was over $6 billion.
Cybercriminal organisations that use the Ryuk ransomware often seek a ransom of $5 million to $50 million.
Mandiant’s director of financial crime, Kimberly Goody, told that while they don’t usually have direct access to victim discussions, FIN12’s ransom demands ranged from $1 million to $25 million based on their views.
“Even if only a small number of victims paid a ransom, FIN12 might get tens of millions of dollars per month,” Goody added. “While there isn’t a clear comparison to FIN12, we do know that ransomware operations that use RYUK have been very profitable.” We previously looked at victim communications and discovered that ransomware threat actors can make a lot of money. Payments received by bitcoin wallet addresses between January 2019 and April 2020, which we believe were mostly associated with RYUK victim ransom payments, but not exclusively FIN12 victims, totaled over $150 million USD. These profits are significant, and they can be re-invested in both people and tools to improve future operations’ efficacy.”
The group has targeted a diverse range of industries, including a number of healthcare firms, which several ransomware groups have promised to avoid. According to Mandiant, the healthcare industry accounts for 20% of FIN12 victims.
The majority of the companies targeted by FIN12 were based in North America, with 71% in the United States and 12% in Canada. Researchers suspect, however, that the group’s regional targeting has expanded, including to Europe and the Asia-Pacific region.
The Commonwealth of Independent States (CIS), which includes Russia and other former Soviet republics, is one region they haven’t targeted. In reality, according to Mandiant, the cybercriminals speak Russian and are most likely based in a CIS country.
FIN12 took a long break in the summer of 2020, according to Mandiant, and there was also some downtime in early 2021, around the holidays. According to Joshua Shilko, lead technical analyst at Mandiant, the group has been on hiatus since early June 2021.
“While this could signal that they’ve gone their separate ways or something, these breaks aren’t unusual in their history.” And there are a few things we may expect when they return,” Shilko said. “Their TTPs, their playbook, has remained basically unchanged for nearly three years, which is rather astounding.” When they do make changes, they make ones that have an impact and assist them evade detection, such as modifying the obfuscation, in memory loaders, Malleable C2 profiles, and occasionally switching up their post-intrusion frameworks. So, even if we haven’t seen them in a few months, we have no illusions that they are permanently gone.”
The victimology, first access, TTPs, usage of malware and illicit services, monetization, and origins are all covered in Mandiant’s study on FIN12.
Until recently, Mandiant was a part of FireEye. The FireEye Products company and the FireEye moniker, on the other hand, were sold to private equity firm Symphony Technology Group (STG) for $1.2 billion earlier this year. Mandiant formally changed its name from FireEye to Mandiant this week, and its Nasdaq ticker symbol moved from FEYE to MNDT.