FIN12 ransomware gang don’t implement double extortion to prioritize speed

Pierluigi Paganini October 07, 2021

Researchers detailed the activities of the FIN12 ransomware group that earned million of dollars over the past years.

Researchers from Mandiant published a detailed report on the activities of a financially motivated ransomware group tracked as FIN12 that has been active since at least October 2018. The vast majority of FIN12 victims have more than $300 million in revenue. According to the researchers, FIN12 is operating out of the Commonwealth of Independent States (CIS) region and is composed of Russian-speaking individuals.

In most of the attacks, the group employed the Ryuk ransomware, experts pointed out that until March 2020 the gang exclusively leveraged TRICKBOT accesses. Since March the group temporarily suspended its activities for four months, when returned the group started leveraging other malware, as well as Citrix and RDP logins credentials provided by other threat actors in the underground communities.

Mandiant researchers noticed that that FIN12 operators in most of the attacks did not spend time stealing information from victims’ systems before encrypting them. The attackers conduct hit-and-run operations, spending about 2,5 days within the victim’s network before encrypting the files. The ransomware operators do not implement a double-extortion model to reduce the time-to-ransom (TTR) that is on average 12.4 days in ransomware attacks.

“In the first half of 2021, as compared to 2020, FIN12 significantly improved their TTR, cutting it in half to just 2.5 days. These efficiency gains are enabled by their specialization in a single phase of the attack lifecycle, which allows threat actors to develop expertise more quickly.” reads the analysis published by the researchers.

“Each additional day FIN12 spends in an environment before completing their objective increases their risk being detected. FIN12’s apparent success without the need to incorporate additional extortion methods likely suggests the notion that they to not believe spending additional time to steal data is worth the risk of having their plans to deploy ransomware thwarted.”

Since late 2019, FIN12 began to use publicly available post-exploiting tools such as EMPIRE. Since early 2020, the gang mostly used the Cobalt Strike BEACON and only in limited cases deployed other backdoors.

“Notably, in the period following FIN12’s hiatus in 2020, the group experimented with the use of other post-exploitation tools including Covenant (GRUNT), GRIMAGENT, and ANCHOR, although by November 2020 they reverted to relying primarily on BEACON.” continues the report. “Malware payloads used by FIN12 have been packaged using a shifting set of in-memory droppers including ICECANDLE, MALTSHAKE, WEIRDLOOP, WHITEDAGGER, and templates associated with Cobalt Strike’s Artifact Kit.”

The analysis of the victimology revealed that almost 85 percent of observed targeted organizations have been based in North America and the healthcare is the most frequently targeted industry, followed by education. In a profile of the group published today by cybersecurity company Mandiant, researchers note that many FIN12 victims are in the healthcare sector.


Starting 2021, the FIN12 group expanded its operations and focused on organizations outside this North America, targeting companies in several countries worldwide, including Australia, Colombia, France, Indonesia, Ireland, the Philippines, South Korea, Spain, the United Arab Emirates, and the United Kingdom.

Further information related to the operations of the group is included in the report published by Mandiant.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment