This article provides an insight in to the way the ransomware group FIN12 conducts their “business”.  Focusing on high value victims, and quick deployment, FIN12 is a threat actor focused on making money regardless of which organisations, and the potential damage to their services users, they are hitting.  Here we look at the views on ransomware threats of our Consultant Elliot, who has a lot of experience of working alongside healthcare clients…

This story comes with two main takeaways for me: Firstly with how healthcare has become such a large target for Ransomware attackers. Gone are the days where ransomware gangs had any respect for the emergency services and would turn off the ransomware in accordance with any “flimsy” ethics that they claim to follow (Irish cyber-attack: Hackers bail out Irish health service for free – BBC News). Perhaps it’s just the group FIN12 making a bad name for the ransomware community in general, however that in itself sounds like a bizarre concept.

Secondly, the motivations have yet again further streamlined their revenue source. Skipping data exfiltration not only gets them money faster, a quicker execution means there is less time for any analysts or monitoring systems to pick up on the presence of intrusion in a system or network. When it comes to Incident Management, the best time to catch a suspicious event is as it happens, any time after that makes the potential consequences exponentially worse. This revelation just shortens that time-frame even more.

For healthcare services, the best defence against ransomware threats is ensuring there are well-established monitoring systems across the network so that any intrusion is spotted as soon as possible. Phishing training and patch management are equally as important in the case of FIN12, as they commonly use exploits and phishing campaigns to gain initial access.

To discuss what CyberScale can do to help protect your organisation get in touch with the team for a discussion about our Consultancy and Training services.