Prolific ransomware cybercrime group’s approach underscores a complicated, layered model of cybercrime.
Its ransomware targets are big, averaging $6 billion in revenue. It deploys ransomware more rapidly than most groups, within 2.5 days. Healthcare organizations are among its main targets. This prolific ransomware gang – best known for dropping the RYUK flavor of extortion malware and now given the cybercrime group designation of FIN12 by Mandiant – is connected to some 20% of all ransomware attacks that Mandiant has investigated in the past year.
Unlike some ransomware attack groups that have layered on extortion threats and data leaks for extra muscle, FIN12 thus far appears to be all about making a lot of money – very quickly.
“They are so fast. That’s what separates them,” says John Hultquist, vice president of intelligence analysis at Mandiant.
FIN12, which Mandiant says appears to be a Russian-speaking group and active since at least October 2018, specializes in the ransomware attack itself, leaving the initial compromise to other groups. It has been closely associated with Trickbot-affiliated gangs and, since February 2020, has employed the Cobalt Strike Beacon tool in its attacks, as well as Trickbot and Empire tools.
Most of FIN12’s victims traditionally have been based in North America, but it has also dropped ransomware on organizations in Europe and Asia Pacific, Mandiant said in a report published today on FIN12. Some 20% of FIN12’s victims have been healthcare organizations.
US government officials recently have been cranking out new policy initiatives to put the squeeze on ransomware cybercrime. Just this week, the Department of Justice (DoJ) launched the National Cryptocurrency Enforcement Team to crack down on illegal use of cryptocurrency, the anonymous payment conduit of choice by ransomware operators. The DoJ also announced the Civil Cyber-Fraud Initiative to ensure government contractors disclose their cybersecurity protocols and cyberattacks in order to protect agencies from supply chain-related cyberattacks.
President Joe Biden issued an executive order on cybersecurity in May in the wake of the Colonial Pipeline ransomware attack. Even so, lucrative and mostly anonymous ransomware attacks aren’t expected to decline anytime soon. In a keynote Q&A during Mandiant’s Cyber Defense Summit in Washington, D.C., this week, Gen. Paul Nakasone, director of the National Security Agency (NSA) and Commander of the US Cyber Command, was asked by Mandiant CEO Kevin Mandia whether ransomware would still be a big threat five years from now. Nakasone’s response: “Every single day.”
The good news, he said, is that the US government is doubling down on efforts to combat ransomware.
“Ransomware is a national security issue. I firmly believe that,” Nakasone said. “There’s a surge going on now … understanding how to get after ransomware [attackers] and how to partner better [to thwart them],”
The Fog of Ransomware
But the conundrum for the feds, researchers, and incident-response experts is the increasing difficulty in unmasking the attacks’ true masterminds. They’re not the ransomware code writers, or FIN12 or other ransomware attack deployment groups, but rather the criminals who pinpoint targets and then contract with Fin12 and other groups to drop ransomware onto those targets.
This layered and staged model of many cybercrime attacks makes it harder to reach or stop the criminals who contract FIN12 and other groups, according to Mandiant. FIN12’s relatively streamlined and rapid deployment model of ransomware is a key example of this.
“Imagine that we have an adversary doing 20% of the damage in this space and is heavily focused on healthcare, and we haven’t effectively IDed them,” Hultquist notes. Because FIN12 uses the work of other cybercrime groups to gain the initial access to targeted organizations, they then can just concentrate on deploying Ryuk or other ransomware.
Mandiant credits that model with allowing FIN12 to cut in half its time-to-ransomware to 2.5 days in the first half of this year, compared with five days last year.
“These efficiency gains are likely due at least in part to their specialization in a single phase of the attack life cycle, allowing them to develop their expertise more quickly. FIN12 has also seemingly made a deliberate choice to prioritize speed, as we’ve rarely observed these threat actors engage in data theft extortion,” Mandiant said in its report. “However, it is plausible that these threat actors may evolve their operations to more frequently incorporate data theft in the future. For example, FIN12 could identify certain industries that weigh the threat of data exposure more heavily than downtime caused by a ransomware attack and choose to employ this tactic against those targets if they are deemed to be of particularly high value.”
Hultquist says the initial threat actor who IDs and infects high-profile, lucrative victims often gets forgotten in the fog of ransomware. So victims and investigators can get overly focused on the ransomware stage of the attack.
“The problem is that our perception is all about the last mile of your intrusion,” he says of that mindset. “All we think about is you got hacked by REvil [ransomware]. Actually, you got hacked by an affiliate of REvil.”