A long-running threat group with a track record of rapid ransomware deployment and healthcare sector victims is ramping up its operations in Europe and APAC, Mandiant has warned.
In a new report detailing the work of FIN12, the threat intelligence firm claimed that the prolific threat group had focused mainly on North American targets since its activities were first recorded in 2018.
Around 85% were from this region, and 20% thus far have been healthcare sector organizations, which many ransomware groups promised to steer clear of during the pandemic.
The bad news for organizations elsewhere in the world is that FIN12 appears to be changing its geographical focus.
“We observed twice as many victim organizations based outside of North America in the first half of 2021 than we observed in 2019 and 2020 combined. Collectively, these organizations have been based in Australia, Colombia, France, Indonesia, Ireland, the Philippines, South Korea, Spain, the United Arab Emirates, and the UK,” explained Mandiant in a blog post.
“This shift could be due to various factors such as FIN12 working with more diverse partners to obtain initial access and increasingly elevated and unwanted attention from the US government.”
The group apparently uses Ryuk ransomware to target organizations with over $300m in revenue, partnering with other actors in the cyber underground for initial access, especially those affiliated with Trickbot and BazarLoader malware.
Through these partnerships and by eschewing double extortion tactics, FIN12 has dramatically cut the time it takes to deploy ransomware to victim networks.
“In the first half of 2021, as compared to 2020, FIN12 significantly improved their TTR, cutting it in half to just 2.5 days,” said Mandiant.
“These efficiency gains are enabled by their specialization in a single phase of the attack lifecycle, which allows threat actors to develop expertise more quickly.”