Ransomware: This gang is getting a lot quicker at encrypting networks

A highly successful and aggressive ransomware gang is getting even faster at encrypting networks as they look to extort ransom payments from as many victims as possible.   

Researchers at Mandiant examined ransomware attacks by a cyber-criminal group they refer to as FIN12 – responsible for one in five attacks investigated by the cybersecurity company – and found that there's been a significant decrease in the amount of time between initially breaking into networks and their encryption with ransomware, most commonly Ryuk ransomware. 

According to data published in Mandiant's M-Trends 2022 report, the average dwell time of FIN12 campaigns – the amount of time between criminal hackers gaining initial access to the network and triggering the ransomware attack – has dropped from five days to less than two days.  

SEE: Cloud security in 2022: A business guide to essential tools and best practices

One of the reasons the life cycle of these attacks has been so heavily reduced is because FIN12 campaigns don't focus on finding sensitive data and stealing it before triggering a ransomware attack.  

Searching for and stealing data has become a common tactic for many ransomware groups, who in addition to encrypting the data, threaten to publish it if a ransom isn't paid. It's a successful technique that many of the most high-profile ransomware gangs deploy to coerce the victim into paying the ransom. 

But despite not adopting this technique, FIN12 is still a highly successful ransomware operation, which in addition to deploying speed also appears to specially select what they perceive to be easy targets from which to extort ransoms. 

For example, the cyber-criminal group is known to frequently target hospitals and healthcare – organisations that desperately need networks up and running to provide patient care. That means victims in the healthcare sector might be more willing to give into ransom demands than victims in other industries. 

The group also targets organisations that make high revenues, potentially a tactic that is also deployed because the attackers believe they have the best chance of making large amounts of money from ransoms.  

“The lack of large-scale data exfiltration in FIN12 incidents has almost certainly contributed to the group's high cadence of operations,” says the Mandiant report. 

There are several methods that FIN12 uses to infiltrate networks, including gaining access via earlier backdoor malware infections, such as TrickBot and BazarLoader. The malware is delivered to machines – sometimes via phishing email – and it's common for ransomware groups to lease out or otherwise leverage this access to ultimately encrypt the network. 

Researchers also note that several FIN12 campaigns have leveraged legitimate usernames and passwords to log in to virtual environments, including Microsoft Office 365. It's possible that these credentials were bought on underground forums. 

FIN12 tends to focus attacks against North American victims – but Mandiant warns that the ransomware group could potentially target a wider range of victims around the world.  

“The United States government and law enforcement community have significantly amped up the pressure on ransomware operators. This has increased the risks of ransomware groups targeting American organisations and by extension makes EMEA a more tempting target,” said Jamie Collier, senior threat intelligence advisor at Mandiant 

“Cyber criminals will often seek to capitalise on the mixed levels of security maturity within EMEA to focus on high-value, low-security targets,” he added. 

Some of the steps that organisations can take to help avoid falling victim to ransomware attacks include applying security patches promptly, so cyber criminals can't exploit known vulnerabilities to deliver malware and to ensure that any password that is known to have been breached is changed. 

Organisations should also provide users with multi-factor authentication as an additional barrier against cyberattacks that attempt to abuse leaked credentials.  

MORE ON CYBERSECURITY