The RYUK ransomware which has been in prevalence since October 2018 has been linked to an aggressive and financially motivated threat actor who has been known to have a close partnership with TrickBot-affiliated threat actors and making use of publicly available arsenal of tools such as Cobalt Strike Beacon payloads to interact with victim networks.
The Russian-speaking hacker group who was previously tracked as UNC1878 has been codenamed FIN12 and is known to have a major focus on healthcare organizations with more than $300 million in revenue not also leaving out educational, financial and technology sectors located in North America, Europe and the Asia Pacific.
Researchers at Mandiant a Cybersecurity firm stated that “FIN12 relies on partners to obtain initial access to victims environments…. Notably, instead of conducting multifaceted extortion, a tactic widely adopted by other ransomware threat actors, FIN12 appears to prioritize speed and higher revenue victims.”
Findings from enterprise security company, Proofpoint reveals that ransomware actors are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major entities.
Accesses obtained via malware families like TrickBot and BazaLoader have been leveraged upon by RYUK ransomware. FIN12’s targeting of the healthcare sector suggests that its initial access brokers “cast a wider net and allow FIN12 actors to choose from a list of victims after accesses are already obtained.”
FIN12 tactics in late 2019 involved using TrickBot as a means to maintain access in the network and carry out latter-stage tasks, the group has consistently banked on Cobalt Strike Beacon payloads for performing post-exploitation activities.
The most striking and distinguishing fact about FIN12 from other intrusion threat actors is that it doesn’t engage in data theft extortion which is a tactic that’s used to leak exfiltrated data when victims refuse to pay up and this stems from the threat actors desire to move quickly and strike targets that are willing to settle with minimal negotiation.