Ransomware attacks on hospitals during the height of the coronavirus pandemic last year were launched by “FIN12,” a group of suspected Russian-speaking criminals, cybersecurity company Mandiant said Thursday.
Kimberly Goody, Mandiant director of financial crime analysis, told reporters that FIN12 hits hospitals and moves faster than other ransomware gangs that hold computer systems and data hostage until victims pay up.
While some cybercriminals placed hospitals off-limits, FIN12 considered them lucrative targets — its victims have an average annual revenue of $6 billion, according to Mandiant‘s analysis.
“Back in October of 2020, there was this joint alert from multiple U.S. government entities that specifically highlighted this heightened threat of ransomware attacks to the health care sector — we firmly believe that this alert was at least partially in response to FIN12 operations,” Ms. Goody said.
Last October, several agencies of the federal government published a joint cybersecurity advisory warning that the federal government had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
The agencies noted then that attackers used Ryuk ransomware, which Ms. Goody said FIN12 has consistently used even as other gangs switch between strains of ransomware that they deploy.
Ransomware attacks increased dramatically in the last year and claimed high-profile victims from the health care sector to a pipeline company providing fuel to the East Coast and a major meat producer.
For example, Sky Lakes Medical Center in Oregon was among the hospitals that got hit with ransomware in October 2020, and the center’s spokesperson Tom Hottman previously said there was no indication that personal health information was compromised or shared at the time. Patients were provided the opportunity to have medical imaging redone at no cost because of the ransomware’s encryption of their medical imaging.
The report on FIN12 came as Microsoft issued a report Thursday that found Russia accounted for most state-sponsored hacking detected by the software giant over the past year, with a 58% share, mostly targeting government agencies and think tanks in the U.S.
The devastating effectiveness of the long-undetected SolarWinds hack — it mainly breached information technology businesses including Microsoft — also boosted Russian state-backed hackers’ success rate to 32% in the year ending June 30, compared with 21% in the preceding 12 months.
China, meanwhile, accounted for fewer than 1 in 10 of the state-backed hacking attempts Microsoft detected but was successful 44% of the time in breaking into targeted networks, Microsoft said in its second annual Digital Defense Report, which covers July 2020 through June 2021.
The Microsoft report also cited ransomware attacks as a serious and growing plague, with the U.S. by far the most targeted country, hit by more than triple the attacks of the next most-targeted nation.
President Biden has sought to thwart Russian cybercriminals by asking Russian President Vladimir Putin to act against cyberattackers inside his country. The Biden administration also has recently sanctioned a cryptocurrency exchange operating in Russia for allegedly facilitating payments to cyber gangs.
Mandiant‘s report on FIN12 said the group’s members are “likely comprised of Russian speaking actors who may be located in countries in the Commonwealth of Independent States (CIS),” which includes Russia and former members of the Soviet Union such as Ukraine and Kazakhstan.
Pinpointing who is responsible for ransomware operations is challenging because, Ms. Goody said, people join and leave various cybercrime teams all the time.
“There isn’t like a nation that you are aligned to in the cybercrime space and so that does tend to … muddy the waters a little bit,” said Ms. Goody.
Ms. Goody said Mandiant traced FIN12’s activity back approximately three years, during which time it has traditionally targeted North American victims. But it branched out to more regions of the world in 2021.
Among the characteristics that make FIN12 different from other ransomware gangs is that it is not nearly as concerned with data theft. In 90% of FIN12 intrusions observed by Mandiant, Ms. Goody said, Mandiant did not see any data theft, which has become a key tool that cybercriminals use to leverage ransom payments from their targeted victims.
Instead, FIN12 moves fast, and its time to ransom after breaching a system was approximately 10 days faster when it chose not to steal data than when it did.
While Mandiant said elevated attention to ransomware from the U.S. government may drive FIN12 toward potential victims in Western Europe and Asia, the ransomware threat has not diminished.
Earlier this week, Army Gen. Paul Nakasone, National Security Agency director and commander of U.S. Cyber Command, said he was surging resources to respond to the national security problems posed by ransomware.
“We have a surge going on right now across both the agency and the command, in terms of understanding the threats that ransom provide, understanding the tactics, understanding how we get after the adversaries,” said Gen. Nakasone at a conference hosted by Mandiant in D.C.
Asked by Mandiant CEO Kevin Mandia about whether ransomware would remain a daily problem in five years, Gen. Nakasone answered, “every single day.”
• This story is based in part on wire service reports.