A financially motivated threat group, identified as FIN12, has been linked to a series of RYUK ransomware incidents since October 2018. This organization demonstrates significant collaboration with TrickBot-affiliated actors while utilizing publicly accessible tools like Cobalt Strike Beacon payloads to penetrate victim networks.
Cybersecurity firm Mandiant has attributed these security breaches to this Russian-speaking hacker group, which was previously known as UNC1878. FIN12 has been particularly active in targeting healthcare institutions generating over $300 million annually, as well as organizations within the education, financial, manufacturing, and technology sectors across North America, Europe, and the Asia Pacific region.
This designation is unprecedented, marking the first time a ransomware affiliate group has achieved recognition as a standalone threat actor. “FIN12 relies on partners to gain initial access to victim environments,” Mandiant researchers noted. Unlike other ransomware groups, FIN12 prioritizes rapid execution and targeting high-revenue organizations instead of employing extensive extortion tactics.
The trend of using initial access brokers to facilitate ransomware operations is growing. A June 2021 report from Proofpoint highlighted this shift, indicating that ransomware attackers are increasingly acquiring access through prior compromises rather than traditional phishing methods. RYUK infections have notably leveraged access gained via malware families like TrickBot and BazaLoader.
Further analysis from cybersecurity firm KELA showed that the average cost of network access was around $5,400 for the July 2020 to June 2021 timeframe. Interestingly, some threat actors have declared an ethical stance against targeting healthcare organizations. The focus of FIN12 on this sector implies that its brokers are casting a broad net, enabling choice from a range of victims once access has been secured.
In May 2021, Mandiant observed threat actors establishing a presence in the network through internal phishing campaigns dispatched from compromised user accounts. This method led to the deployment of Cobalt Strike Beacon and WEIRDLOOP payloads. Between February and April 2021, attacks also exploited remote logins by utilizing credentials acquired through successful compromises of victims’ Citrix environments.
While FIN12’s earlier tactics involved using TrickBot to maintain network access and execute follow-up actions, such as reconnaissance and malware deployment, the group has increasingly relied on Cobalt Strike Beacon for post-exploitation tasks. This adjustment marks a shift in their operational methodology.
FIN12 sets itself apart from other intrusion actors by its minimal engagement in data theft extortion, a tactic prevalent among its counterparts. Mandiant attributes this to the group’s preference for swift attacks on targets willing to settle quickly, which correlates with their increasing focus on healthcare networks. They have observed an average time to ransom (TTR) of 12.4 days in incidents involving data theft, significantly longer than the 2.48 days for incidents where data theft was not involved. This success, apparently without resorting to traditional extortion methods, may affirm their operational strategy.
Mandiant’s assessment underscores that FIN12 is the first ransomware actor actively specializing in a defined phase of the attack lifecycle—ransomware deployment—while relying on other threat actors for the initial access. This emerging specialization reflects the evolving landscape of the ransomware ecosystem, characterized by loosely aligned groups working together, yet not exclusively partnered.
