Aggressive Tactics Utilized by the FIN12 Group Results in Rapid Deployment of Ransomware

Researchers at Mandiant recently released a special report highlighting notable threat groups, ransomware, and other threats. In this report, a group, which they refer to as FIN12, was responsible for several aggressive ransomware attacks that were highly successful. The ransomware group has gotten notably faster at encrypting networks, decreasing the time from initial access to ransom demand from 5 days down to less than two. The cybersecurity researchers at Mandiant believe this group is responsible for one out of every five attacks investigated by their firm. FIN12 is a financially motivated group, and they intend to extort as many victims as possible.

What do we know about FIN12?

The group had gained notoriety for their RYUK ransomware attacks that can be traced as far back as October of 2018. The Mandiant report classifies FIN12 as a post-compromise activity group as the cybersecurity researchers believe that FIN12 depends on external partners for initial access to victim systems. Most other comparable groups in this category primarily focus on data harvesting and extorting, however, FIN12 is observed to focus on primarily speed. With the group not focused on collecting data, they can deploy their ransomware sooner and move on to the next target.

FIN12 appears to rely on close partnerships for initial intrusions into organizations and is particularly selective about its targets. The ransomware group is known to target organizations in the health care industry and other high-revenue organizations. Many of these organizations are more willing just to pay the ransom demand. Currently, FIN12 primarily selects targets located in North America, however, it appears that they have been expanding their geographical reach.

Between February and April of 2021, FIN12 targeted and accessed at least 4 organizations’ Citrix environments. It is still unclear how the group acquired authentic credentials to the environments, however, the researchers at Mandiant theorize that it could have been from purchases made on underground forums.

In May of 2021, FIN12 launched 2 successful email campaigns that resulted in the malicious email being distributed internally from compromised user accounts. In both cases, the group used stolen credentials to access the target organization’s Microsoft 365 environment where they distributed their payloads.

FIN12 almost exclusively utilizes RYUK ransomware, however, there is one instance where they deployed CONTI. The Mandiant report also stated that FIN12 would use a broad toolset that included PowerShell-based EMPIRE framework and TrickBot banking Trojans.  Since February of 2020, the group has also incorporated the use of Cobalt Strike Beacon payloads for internal scans and intelligence to even launch their ransomware payloads.

Some recommendations that organizations can take to avoid falling victim to ransomware attacks are:

  • Utilize an offsite or cloud-hosted backup solution to avoid data loss
  • Apply security patches on systems as soon as possible to keep your systems from becoming more vulnerable
  • Check user’s accounts against data breach websites like Have I Been Pwned and have them change any associated credentials
  • Implement multi-factor authentication as an additional security layer against attacks that attempt to exploit stolen credentials


Follow us on Facebook, & LinkedIn or Contact us at 406-646-2102 and get your questions answered.

Comments are closed
Our team knows the importance of the work we do for our clients. We know that our efforts have a direct impact on your productivity, profitability and success, so we take our tasks seriously! We look forward to providing your company with strong
ROI and value.