{"id":3303,"date":"2021-10-11T11:23:56","date_gmt":"2021-10-11T11:23:56","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3303"},"modified":"2026-06-08T22:49:13","modified_gmt":"2026-06-08T22:49:13","slug":"fin12-healthcare-threat","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/fin12-healthcare-threat\/","title":{"rendered":"FIN12: threat against Hospitals and Healthcare"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In recent weeks, analysis has been published on a criminal group whose attacks date back to October 2018. The group, attributed the name <a href=\"https:\/\/www.mandiant.com\/resources\/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets\"><strong>FIN12<\/strong><\/a>, distinguishes itself from other <strong>ransomware gangs<\/strong> through its targeting profile. Numerous attacks have been observed against organizations in the <strong>healthcare and hospital sectors<\/strong>, with particularly elevated ransom demands.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">FIN12 Characteristics<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The group is characterized by its speed of execution and negotiation; notably, attempts at <strong>double extortion<\/strong> have rarely been observed (wherein an additional ransom is demanded by threatening publication of exfiltrated data). The group&#8217;s rapid ransom demands reflect its operational model: activities are limited to malware deployment (primarily <strong>ransomware<\/strong>) following the purchase of access obtained by third parties (<strong>Access Brokers<\/strong>). Within victim environments, deployments of <strong>TRICKBOT<\/strong> (malware widely distributed in Italy) have been tracked, followed by <strong>BAZARLOADER<\/strong>. Through <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> monitoring, we have documented this progression across multiple intrusions.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By prioritizing speed in ransomware deployment and ransom demands, the threat actors frequently forgo the opportunity to exfiltrate victim data.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The group&#8217;s activities have been observed primarily in North America, though attacks have been documented across the remainder of the world, including Europe. The possibility of FIN12 attacks cannot be excluded; sustained vigilance is therefore necessary in healthcare and hospital sectors where risk may be underestimated. Organizations should maintain heightened awareness of access broker marketplaces and implement rapid detection mechanisms for ransomware deployment patterns characteristic of this threat actor.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>FIN12 financially-motivated actor targeting healthcare: short dwell time, ransomware deployment patterns and operational priorities for hospital security teams.<\/p>\n","protected":false},"author":1,"featured_media":3429,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1625,3220,3221,1443,3222],"class_list":["post-3303","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-fin12-it","tag-healthcare-targeting","tag-hospital-ransomware","tag-ransomware-it","tag-short-dwell-time"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3303","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3303"}],"version-history":[{"count":4,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3303\/revisions"}],"predecessor-version":[{"id":9875,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3303\/revisions\/9875"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/3429"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3303"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3303"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3303"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}