A highly successful and aggressive ransomware gang is encrypting networks faster and faster as they seek to extort ransom payments from as many victims as possible.
Researchers at Mandiant examined ransomware attacks by a cybercriminal group they call FIN12 – responsible for one out of five attacks investigated by the cybersecurity firm – and found that it significantly reduced the time from initial entry into the network. and their encryption with ransomware, most commonly Ryuk ransomware.
According to the data published in Mandiant’s M-Trends 2022 ReportThe average dwell time of FIN12 campaigns – the time between when a criminal hacker gained initial access to the network and triggered the ransomware attack – has decreased from five days to less than two days.
One of the reasons the lifecycle of these attacks is so drastically reduced is that FIN12 campaigns don’t focus on finding sensitive data and stealing it before triggering a ransomware attack.
Searching and stealing data has become a common tactic of many ransomware groups, in addition to encrypting data, threatened to publish it if the ransom was not paid. It’s a successful technique that many of the most advanced ransomware gangs employ to force victims to pay a ransom.
But despite not adopting this technique, FIN12 is still a very successful ransomware operation that, in addition to its speed of deployment, has the unique ability to select what they consider to be easy targets for ransom.
Eg, Cybercriminal groups regularly target hospitals and medical facilities – organizations are in dire need establish and operate a network to deliver patient care. That means victims in the healthcare sector may be more willing to demand ransom than victims in other industries.
The group also targets high-revenue-generating organizations, which is likely a well-implemented tactic as attackers believe they have the best chance of making large amounts of money from the ransom.
The Mandiant report states, “The lack of large-scale data in the FIN12 incidents has almost certainly contributed to the group’s high activity tempo.
There are several methods FIN12 uses to get into the network, including gaining access through a previous backdoor. malware infections, such as TrickBot and BazarLoader. Malware is transferred to the machine – sometimes via phishing email — and ransomware groups often lease or leverage this access to ultimately encrypt the network.
The researchers also noted that some FIN12 campaigns took advantage of legitimate usernames and passwords to log into virtual environments, including Microsoft Office 365. It’s possible these credentials were purchased on underground forums.
FIN12 tends to focus its attacks on North American victims – but Mandiant warns that the ransomware group is likely to target more victims around the world.
Jamie Collier, senior threat intelligence adviser at Mandiant
He added: “Cybercriminals often seek to leverage the mixed security levels in EMEA to focus on low-security, high-value targets.
Some steps organizations can take to help avoid falling victim to ransomware attacks include apply security patches in a timely mannerso cybercriminals cannot exploit known vulnerabilities to distribute malware and to ensure that any passwords that have been breached are changed.
Organizations should also provide users multi-factor authentication as an additional barrier against cyberattacks that attempt to abuse leaked credentials.