Russian-speaking hacking group scaling up ransomware attacks on hospitals

A Russian-speaking cyber criminal group is disproportionately using ransomware attacks to target hospitals and health care groups across North America as the COVID-19 pandemic continues, according to new research released Thursday. 

Cybersecurity organization Mandiant labeled the group “FIN12” as part of a report detailing the group’s activities, with Mandiant noting that it has been in existence since at least 2018, but was increasingly hitting organizations in North America with annual revenues of more than $300 million with ransomware attacks. Many of these companies made even more, with the average annual revenue of North American groups targeted at just under $6 billion. 

According to Mandiant, one in five of FIN12’s victims were health care groups, many of which operate hospitals, while other victims have included groups in business services, education, finance, government, manufacturing, retail and technology.

While the majority of victims have been located in North America, other victims are located in Europe and Asian Pacific nations. FIN12 has made a massive profit in targeting these companies, with Mandiant noting that most ransom demands were likely between $5 million and $50 million. 

Kimberly Goody, director of Financial Crime Analysis at Mandiant, described FIN12 Thursday as “one of the most aggressive ransomware threat actors tracked by Mandiant.”

“Unlike other actors who are branching out into other forms of extortion, this group remains focused purely on ransomware, moving faster than its peers and hitting big targets,” Goody said in a statement. ”They are behind several attacks on the healthcare system and they focus heavily on high-revenue victims.”

Mandiant noted that the group was the same organization that led a coalition of U.S. federal agencies to issue a report last year warning that hospitals and health care providers were being increasingly targeted. FIN12 often uses the Ryuk ransomware virus, which was linked last year to the attack on Pennsylvania-headquartered hospital chain Universal Health Services, which operates about 250 U.S. health care facilities.

At the time, Mandiant, which was previously FireEye, labeled the group “UNC1878,” warning in a report that “the operators conducting these campaigns have actively targeted hospitals, retirement communities and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life.”

FIN12 is fairly unique in its increased targeting of health care groups, with the Mandiant report noting that while “it may also be easier or cheaper to obtain access to healthcare organizations,” FIN12 would like “face increased scrutiny from law enforcement agencies.”

Mandiant noted in the report that FIN12 intrusions had made up around 20 percent of the ransomware attack engagements the company had over the past year.

Ransomware attacks have become an increasing threat to hospitals, schools, and other critical organizations during the COVID-19 pandemic, which saw more of everyday life move online and often on to aging, vulnerable systems. Ransomware attacks against major groups have also endangered key supply chains, including the attacks in May on Colonial Pipeline and meat producer JBS USA.