Mandiant now tracking prolific ransomware affiliate FIN12 as distinct threat

In a landmark designation, Mandiant classified a ransomware affiliate as a distinct threat group, the first time it has given an organization of that type a formal name.

Ransomware is a complex economy. Ransomware affiliates license the right to install ransomware someone else designed, often purchasing access to pre-breached computers from other actors. The affiliate groups are not tied to a single brand of malware — with many using more than one brand at the same time — and malware is not tied to a single philosophy of who and how to target for installation. But most public discussions around ransomware only focus on the type of ransomware — for example, REvil, Ryuk or LockBit.

That oversimplification, said John Hultquist, senior director of analysis at Mandiant, can dramatically limit the conversation on ransomware. Saying Ryuk targets health care is less important than saying an individual affiliate targets health care, because that affiliate might change ransomware brands at any time, or a prolific affiliate might change brands to Ryuk at any time.

"When we talk about Ryuk ransomware, and are not able to talk about the crew that installs the ransomware, they are able to hide behind the name Ryuk," Hultquist told SC Media.

Mandiant announced Thursday that it would track FIN12, a group that tends to install Ryuk and focuses heavily on the health care sector. It is an incredibly prolific actor, responsible for around 20% of Mandiant's ransomware engagements since September 2020.

When a Ryuk infection targets health care, it is frequently this group, according to Mandiant's research. At the same time, chatter from ransomware forums shows that other Ryuk actors avoid the healthcare sector on moral grounds. Ryuk does not target health care, Hultquist stressed; specific crews using Ryuk target health care.

More on FIN12

FIN12 has some compelling habits. The current trend for ransomware groups is to use a multiple extortion model, where victims will choose to pay ransom not just because their files are encrypted but also because the actor threatens to release files they exfiltrated. FIN12 does not do that. Instead, they just use encryption. That allows FIN12 to deploy ransomware much faster than groups concerned with downloading files. It takes FIN12 on average 2.5 days to begin encrypting files. Other groups can take weeks.

FIN12 targets extremely high-value organizations, in Mandiant's experience, typically over $300 million in revenue and averaging $6 billion. It is seemingly intentional; they will often use revenue figures as a negotiating point.

Hultquist noted that some mixture of the high-value targets and the criticality of health care allows them to forego the multiple extortion model. The speed, he said, made it "really hard on defenders."

"You don't only have to detect in two days, you have to respond," he said. "We found that it was really challenging for defenders to move that fast to catch an operation like this."

Mandiant is currently tracking a lull in FIN12 activity, which the company projects as temporary. FIN12 took a temporary hiatus once before to retool, and other groups, Mandiant noted in its report, will slow operations when their suppliers, like initial access brokers, slow theirs.

"Or maybe they're on a beach," said Hultquist.

FIN12 appears to prefer use of Trickbot for access and relies on Colbolt Strike Beacon, but a full assortment of indicators of compromise, tactics, techniques and procedures are available in Mandiant's report.