Ransomware FIN12 is Now in Europe

On Wednesday, Google’s Threat Analysis Group (TAG) sent out an abnormally large number of alerts to roughly 14,000 Gmail users, suggesting that they may be targeted by a government cyberespionage group at the moment. According to reports from BleepingComputer and the Record, the attacks were carried out by APT28, also known as Fancy Bear, Russia’s GRU. Shane Huntley, a TAG member, tweeted on the ramifications of such warnings: Although Google is likely to have prevented the attacks, you should take precautions immediately to protect yourself, as “you are a possible target for the next assault.”

Mandiant later issued a report on FIN12, a ransomware gang known for focusing on healthcare businesses and being “aggressive, financially driven.” FIN12 focuses on ransomware as a whole, rather than the larger criminal practice of double extortion. It also makes extensive use of C2C market initial access brokers.

Mandiant has warned that this fast-moving malware in the healthcare industry that started in North America is already expanding its activities in Europe and APAC.

The team seems to utilize Ryuk ransomware to target businesses with more than $300 million in sales, collaborating with other cyber criminals for early access, particularly those linked to Trickbot and BazarLoader malware. FIN12 has substantially reduced the time it takes to install ransomware to target networks thanks to these collaborations and the avoidance of multiple extortion techniques.