BACKGROUND:
Mandiant has announced it upgraded a financially-motivated threat actor to “FIN12.”FIN12 has deliberately and aggressively targeted healthcare facilities with ransomware throughout the pandemic, and has accounted for nearly 20% of all ransomware intrusions Mandiant has responded to in the last year. Unlike other ransomware operations seen today, FIN12 does not focus on stealing data to use for extortion, and instead prioritizes speed in their operations. As a result, their average time-to-ransom is around 2.5 days which is roughly twice as fast as other ransomware gangs. This highlights a growing concern that threat actors are improving not just in terms of volume due to larger teams, but also efficiency of their operations.
<p>FIN12 is one of the most aggressive ransomware threat actors tracked by Mandiant. Unlike other actors who are branching out into other forms of extortion, this group remains focused purely on ransomware, moving faster than its peers and hitting big targets. They are behind several attacks on the healthcare system and they focus heavily on high-revenue victims. Nothing is sacred with these actors – they will go after hospitals/healthcare facilities, utilities, critical infrastructure, etc. This illustrates that they choose not to abide by the norms.</p>
<p>While more than 80% of FIN12’s victims have been based in North America, in the first half of 2021, Mandiant observed more than twice as many victims outside of North America in the first half of 2021 than in 2019 and 2020 combined; with many of these new victims based in Europe and Asia Pacific. Since many of the countries in those regions have a nationalized healthcare system, they may be at increased risk of impact by FIN12, as these networks provide healthcare services for a higher proportion of these countries\’ citizens than any private healthcare businesses in North America.</p>
<p>Whilst FIN12 has historically focused its targeting on North American entities, the group poses a rising threat to the UK and Europe. Mandiant has observed a significant uptick in FIN12 operations targeting European organisations since the beginning of 2021 (including those based in France, Ireland, Spain, and the United Kingdom).<br /><br />FIN12 is known for targeting large organisations with significant revenues. Europe provides ample opportunities for cyber criminals to exploit, given the sheer number of large economies as well as various large multinationals that have their headquarters located in the continent. <br /><br />FIN12’s increased targeting outside of North America is emblematic of a wider trend, with the cyber crime threat growing increasingly severe in Europe. Despite the large number of developed economies, the cyber security maturity of European organisations is relatively mixed. This presents clear opportunities for cyber criminals to exploit entities that are still developing their cyber security posture.</p>