While many ransomware groups are morally opposed to targeting healthcare organizations, FIN12 is not. Jeremey Kennelly, senior manager and principal analyst at Mandiant explained, “The mere fact of systems being unavailable causes huge disruption to these organizations. And thus, there is probably a perception amongst these actors that despite the bad look of targeting a healthcare organization, a healthcare organization is going to have a stronger argument to potentially pay a ransom in order to get their system online.”
What Makes FIN12 Such a Threat?
Unlike many other ransomware groups, FIN actors specifically focus their efforts on ransomware deployment, relying on other threat actors for initial access to victims’ systems. Specializing in a specific phase of the attack lifecycle allows threat actors to become more sophisticated and to be more successful and efficient in their attacks. This becomes more evident by the fact that FIN12 has been able to cut its time-to-ransom (TTR) in half. According to the report, the group can go through the lifecycle of a cyberattack in less than 3 days.
Kennelly noted, “In the vast majority of cases they are not stealing data, but merely encrypting. They are just breaking into organizations or obtaining access from other actors to learn a little bit about the network and immediately deploying ransomware.”
While there is no pattern to how FIN12 is gaining access to these organizations, one method that they have used in the past is a “BazarLoader.” According to the HHS, BazarLoader uses business-themed emails containing a link to a Google Docs file, and BazarBackdoor is capable of exfiltrating files from a victim, terminating running processes, and executing arbitrary payloads.