FIN12: threat against Hospitals and Healthcare

In recent weeks, analysis has been published on a criminal group whose attacks date back to October 2018. The group, attributed the name FIN12, distinguishes itself from other ransomware gangs through its targeting profile. Numerous attacks have been observed against organizations in the healthcare and hospital sectors, with particularly elevated ransom demands.

FIN12 Characteristics

The group is characterized by its speed of execution and negotiation; notably, attempts at double extortion have rarely been observed (wherein an additional ransom is demanded by threatening publication of exfiltrated data). The group’s rapid ransom demands reflect its operational model: activities are limited to malware deployment (primarily ransomware) following the purchase of access obtained by third parties (Access Brokers). Within victim environments, deployments of TRICKBOT (malware widely distributed in Italy) have been tracked, followed by BAZARLOADER. Through Cyber Threat Intelligence monitoring, we have documented this progression across multiple intrusions.

By prioritizing speed in ransomware deployment and ransom demands, the threat actors frequently forgo the opportunity to exfiltrate victim data.

The group’s activities have been observed primarily in North America, though attacks have been documented across the remainder of the world, including Europe. The possibility of FIN12 attacks cannot be excluded; sustained vigilance is therefore necessary in healthcare and hospital sectors where risk may be underestimated. Organizations should maintain heightened awareness of access broker marketplaces and implement rapid detection mechanisms for ransomware deployment patterns characteristic of this threat actor.