Skip to main content

New Aggressive Ransomware Attack Targeting Hospitals, Pharmacies and Clinics.




An "aggressive" financially motivated threat actor has been identified as linked to a string of RYUK ransomware attacks since October 2018, while maintaining close partnerships with TrickBot-affiliated threat actors and using a publicly available arsenal of tools such as Cobalt Strike Beacon payloads to interact with victim networks.


Cybersecurity firm Mandiant attributed the intrusions to a Russian-speaking hacker group codenamed FIN12, and previously tracked as UNC1878, with a disproportionate focus on healthcare organizations with more than $300 million in revenue, among others, including education, financial, manufacturing, and technology sectors, located in North America, Europe, and the Asia Pacific.


"FIN12 relies on partners to obtain initial access to victim environments," Mandiant researchers said. "Notably, instead of conducting multifaceted extortion, a tactic widely adopted by other ransomware threat actors, FIN12 appears to prioritize speed and higher revenue victims."


The use of initial access brokers to facilitate ransomware deployments isn't new. In June 2021, findings from enterprise security company Proofpoint revealed that ransomware actors are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major entities, with Ryuk infections mainly leveraging accesses obtained via malware families like TrickBot and BazaLoader.


FIN12's targeting of the healthcare sector suggests that its initial access brokers "cast a wider net and allow FIN12 actors to choose from a list of victims after accesses are already obtained."



Mandiant also noted that it observed, in May 2021, threat actors obtaining a foothold in the network through phishing email campaigns distributed internally from compromised user accounts, before leading to the deployment of Cobalt Strike Beacon and WEIRDLOOP payloads. Attacks mounted between mid-February and mid-April of 2021 are said to also have taken advantage of remote logins by getting hold of credentials to victims' Citrix environments.


Although FIN12's tactics in late 2019 involved using TrickBot as a means to maintain a foothold in the network and carry out latter-stage tasks, including reconnaissance, delivering malware droppers, and deploying the ransomware, the group has since consistently banked on Cobalt Strike Beacon payloads for performing post-exploitation activities.


Prevent Data Breaches

FIN12 also distinguishes itself from other intrusion threat actors in that it doesn't engage in data theft extortion — a tactic that's used to leak exfiltrated data when victims refuse to pay up — which Mandiant says stems from the threat actor's desire to move quickly and strike targets that are willing to settle with minimal negotiation.


"The average time to ransom (TTR) across our FIN12 engagements involving data theft was 12.4 days (12 days, 9 hours, 44 minutes) compared to 2.48 days (2 days, 11 hours, 37 minutes) where data theft was not observed," the researchers said. "FIN12's apparent success without the need to incorporate additional extortion methods likely reinforces this notion."


"[FIN12 is the] first FIN actor that we are promoting who specializes in a specific phase of the attack lifecycle — ransomware deployment — while relying on other threat actors for gaining initial access to victims," Mandiant noted. "This specialization reflects the current ransomware ecosystem, which is comprised of various loosely affiliated actors partnering together, but not exclusively with one another."

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.