Features

FIN12 Ransomware: Why It’s a Healthcare Threat, How to Prevent an Attack

FIN12 is efficient, unpredictable, and unafraid of targeting the healthcare sector, Mandiant experts warn.

Source: Getty Images

- Unlike other threat actors that shy away from deploying ransomware on critical infrastructure, education, and healthcare, FIN12 ransomware group specializes in targeted attacks on the healthcare sector.

Nearly 20 percent of threat intelligence firm Mandiant’s observed FIN12 attacks were targeted at healthcare entities, and over 70 percent of attacks were aimed at US-based entities, according to a Mandiant report released in October that first identified the group and detailed its practices.

Some ransomware groups, especially those that target critical industries, backed down at the height of the pandemic and amid global backlash against ransomware operators, Jeremey Kennelly, senior manager and principal analyst at Mandiant told HealthITSecurity.

“But FIN12, over the course of their operations, has always targeted healthcare organizations. We have seen no change proportionally, even in the face of a pandemic or in the face of broad public backlash over ransomware operations,” Kennelly explained.

“The mere fact of systems being unavailable causes huge disruption to these organizations. And thus, there is probably a perception amongst these actors that despite the bad look of targeting a healthcare organization, a healthcare organization is going to have a stronger argument to potentially pay a ransom in order to get their system online.”

Healthcare organizations should remain wary, not just of FIN12, but of the growing threat of ransomware attacks on the healthcare sector.

What makes FIN12 a threat?

FIN12 specializes in ransomware deployment and typically relies on other threat actors to gain initial access to victims. By focusing on this particular phase of the attack lifecycle, FIN12 can take advantage of the growing network of loosely affiliated threat actors working together to deploy ransomware efficiently and successfully.

According to Kennelly, FIN12 stands out for three reasons: they continue to target healthcare in the face of backlash, they operate with extreme speed, and they are unpredictable. The combination of these factors makes FIN12 a menacing threat to the healthcare sector.

The group appears to be Russian-speaking and has been active since at least October 2018, Mandiant’s report explained. From 2020 to 2021, FIN12 managed to halve its time-to-ransom (TTR), or the amount of time from when they access an environment to when they deploy ransomware. Mandiant discovered that the group can complete a cyberattack lifecycle in just 2.5 days.

“In the vast majority of cases they are not stealing data, but merely encrypting,” Kennelly noted.

“They are just breaking into organizations or obtaining access from other actors to learn a little bit about the network and immediately deploying ransomware.”

Most ransomware groups have telltale methods and tactics that experts can quickly identify and predict.

“Unlike a lot of ransomware operators, there isn't a distinctive manner in which FIN12 is gaining access to these organizations,” Kennelly said.

The group’s unpredictability gives them an edge and allows them to sneakily access networks and puzzle IT teams.

FIN12’s methods and tactics

Although FIN12 stands out for targeting the healthcare sector, the methods that they use to execute attacks are not unique. The group uses a network of other threat actors to deploy common but powerful malware tools.

“They've maintained a longstanding partnership with criminals that are associated with the TrickBot ecosystem,” Kennelly continued.

FIN12 is known to associate with criminals that operate on the TrickBot botnet and the BazarLoader and BazarBackdoor malware ecosystem. Mandiant has also observed FIN12 using Cobalt Strike, which is a commonly used commercial attack framework, and PsExec, a Microsoft-managed administrative tool.

According to HHS’s Health Sector Cybersecurity Coordination Center (HC3), BazarLoader uses business-themed emails containing a link to a Google Docs file, and BazarBackdoor is capable of exfiltrating files from a victim, terminating running processes, and executing arbitrary payloads.

“We have, however, seen them obtain initial access via other mechanisms as well,” Kennelly warned.

FIN12 gravitates toward partnering with threat actors that know how to take advantage of network.

“There’s been a big shift towards the use of these common tools, because they are really effective. Despite how well known they are, they're often poorly detected, and they are readily available,” Kennelly explained.

“It also allows actors to blend in with the noise. So, it becomes harder to identify who they are and what they're doing based exclusively on their use of particular tools.”

How to protect your organization from ransomware attacks

Kennelly noted a troubling trend in the threat landscape that organizations should be aware of.

What was previously considered commodity malware is now being used as a foothold for the criminals who are deploying the ransomware themselves,” he explained.

Commodity malware refers to malware that is widely available for purchase or free to download and can be used by a variety of threat actors. The schemes are simple, but effective. But when a group like FIN12 is behind the scenes, the malware may just serve as a steppingstone to more sophisticated cyberattack efforts.

“Organizations have to understand when designing their greater security architecture that any malware on a host could lead to some sort of intrusion operation,” Kennelly emphasized.

“It’s much more than malware being installed on your computer to steal some credentials or get into your bank accounts and steal a couple thousand dollars. More so than that, we're seeing malware as foothold.”

Since FIN12 is leveraging a variety of footholds and is constantly using different entry points to gain access to networks, healthcare organizations should operate under the assumption that malware is simply the first step in a hacker’s plan.

“It all comes down to credential management, privilege management, and being able to monitor how authentication is occurring across the environment,” Kennelly advised.

In most cases, threat actors need to access elevated privileges in order to do damage. Enabling multi-factor authentication is one way to prevent hackers from obtaining initial access. Organizations should also consider installing antivirus software, enabling protections against the most common vulnerabilities, and educating employees regularly on proper cyber hygiene.

“Notably, intrusion groups do not typically have an allegiance to any particular RaaS brand and have exhibited that they can easily switch between or use multiple brands concurrently,” Mandiant’s report warned.

“The shifting nature of these allegiances is a key reason for why intrusion operators such as FIN12 are important for security teams and organizations to understand and track rather than maintaining an exclusive focus on the brands and ransomware families these operators choose to distribute at a given moment.”