Here at CHIPS, we specialize in outsourced IT cybersecurity needs for companies both large and small. Part of our goal is to provide the latest information in the cyberthreat space, which leads us to today’s blog post. As we have said before in prior posts and blogs, the bad guys don’t stop. Bad actors constantly evolve and change their tactics to catch victim companies off guard. Now, in the latest in cyber threat news, the ransomware gang FIN12 is keeping cybersecurity professionals on their toes.
Who is FIN12?
FIN12 specializes in the post-compromise deployment of what is known as RYUK ransomware. This group, first observed in October 2018, prioritizes speed and higher ransom payments over complex extortion efforts. They maintain close relationships with other threat actors and use publicly available tools, such as TRICKBOT, Cobalt Strike BEACON, and EMPIRE malware to enable their intrusions. And while they’re equal opportunity threat actors, a fifth of their targets have been in the healthcare sector.
Why Do They Target Healthcare Companies?
FIN12 is known to target hospitals and healthcare organizations for a very simple reason. These types of entities need to maintain constant uptime to ensure patient care remains uninterrupted. As a result, if their internal systems are hacked and held for ransom, they’re more likely to pay a ransom than companies in other industries.
How Have Fin12 Attacks Changed?
Researchers have discovered that FIN12 is getting a lot better at speed of intrusion. In recent attacks, there has been a significant decrease in the amount of time they break into a target’s network and encryption using Ryuk ransomware and exact a ransom. In fact, the average dwell time of a FIN12 campaign has fallen from an average of five days to — in some cases — only one day.
What is Their Methodology?
FIN12 has managed to reduce the life cycle of their attacks because they forgo an immediate theft of sensitive data. Instead, they trigger the ransomware attack first. They generally rely on backdoor infections using TrickBot and BazarLoader using phishing emails and other methods. In some cases, they have utilized legitimate usernames and passwords purchased from the dark web to log into virtual environments, such as Microsoft Office 365.
How Can CHIPS Protect Your Healthcare Organization?
CHIPS provides a level of security called Zero Trust. Even if internal information is compromised through a phishing scheme or information purchased from the dark web, our machine learning security system can effectively keep intruders out. We rely on three levels of Zero Trust to ensure your internal healthcare networks stay secure. Keep bad guys like FIN12 out of your systems. Visit our website to learn more. https://www.prevent-ransomware.com
