Background
FIN12 is a financially motivated threat actor first publicly designated by Mandiant in 2021. The group is characterized by its exceptional speed of ransomware deployment โ Mandiant research found FIN12's median time from initial access to ransomware deployment is approximately 2.5 days, far faster than most ransomware operators โ and its disproportionate focus on the healthcare sector.
FIN12 operates as a ransomware deployment specialist that leverages access provided by other cybercriminal ecosystems, particularly the TrickBot/BazarLoader infrastructure operated by Wizard Spider. Rather than conducting its own phishing campaigns to gain initial access, FIN12 appears to purchase or lease access from initial access brokers and from TrickBot botnet operators, then rapidly deploys Ryuk or Conti ransomware to maximize impact before defenders can respond.
The group's healthcare targeting has attracted significant law enforcement attention. CISA, FBI, and HHS issued an emergency joint advisory in October 2020 warning of an "imminent" FIN12 threat to U.S. hospitals, citing specific plans to infect hundreds of healthcare facilities with Ryuk during the COVID-19 pandemic. Over 75% of FIN12's publicly identified victims are in the U.S. healthcare sector, making it one of the most dangerous threats to clinical operations.
Notable Campaigns
U.S. Healthcare Ryuk Wave (2020): FIN12 conducted a coordinated campaign against U.S. hospital networks in October 2020, forcing multiple regional health systems to divert patients from emergency services and cancel surgeries. The Universal Health Services (UHS) attack affected 400 facilities across the United States and United Kingdom, disrupting patient care for over three weeks and costing an estimated $67 million in recovery costs.
Sky Lakes Medical Center (2020): The Oregon-based hospital was struck during the October 2020 wave, forcing cancellation of non-emergency surgeries and diversion of patients requiring specialized care, demonstrating real-world patient safety impacts from healthcare ransomware attacks.
Ryuk Speed Operations (2020-2021): Mandiant documented multiple FIN12 intrusions where the group moved from initial TrickBot infection to Ryuk deployment in under 48 hours, reflecting a deliberate strategy to outpace incident response capabilities.
Conti Deployment Phase (2021-2022): As the Ryuk ecosystem transitioned to Conti branding, FIN12 continued operations deploying Conti ransomware payloads, maintaining its characteristic rapid deployment tempo and healthcare targeting focus.
Tactics, Techniques & Procedures
FIN12 distinguishes itself from other ransomware operators primarily through its speed of execution and its reliance on purchased initial access rather than self-conducted phishing. The group acquires TrickBot or BazarLoader infected hosts from Wizard Spider's botnet ecosystem, then rapidly advances to ransomware deployment without extended reconnaissance phases.
Upon gaining access via purchased TrickBot infections, FIN12 establishes a Cobalt Strike beacon for C2, conducts minimal but targeted reconnaissance using AdFind for Active Directory enumeration, harvests domain administrator credentials with Mimikatz, and moves laterally via RDP to domain controllers. Ryuk or Conti ransomware is then pushed to networked systems via GPO, PsExec, or batch scripts.
FIN12's rapid timeline means defenders have a narrow window โ often less than 48 hours โ between initial access alert and ransomware deployment. The group specifically avoids extended dwell time to minimize detection opportunities.
Tools & Malware
- Ryuk Ransomware: Primary ransomware payload for FIN12 operations through 2021. Ryuk targets enterprise environments, encrypts network shares, and disables backup recovery mechanisms.
- Conti Ransomware: Successor to Ryuk, adopted by FIN12 as the operator ecosystem transitioned to the Conti brand.
- TrickBot / BazarLoader: Initial access malware operated by Wizard Spider, used as the delivery mechanism for FIN12's ransomware operations.
- Cobalt Strike: Post-exploitation C2 framework used between initial access and ransomware deployment.
- Mimikatz: Credential harvesting tool for domain administrator credential extraction.
- AdFind: Active Directory enumeration tool used to identify target systems for lateral movement.
Indicators & Detection
Given FIN12's speed, early detection of TrickBot and BazarLoader infections is the most effective defensive measure โ once these infections are not remediated quickly, FIN12 may deploy ransomware within 48 hours. Implement behavioral detection for TrickBot's characteristic process injection, network scanning patterns, and credential theft behaviors.
Monitor for Cobalt Strike indicators post-TrickBot infection, as FIN12 almost universally deploys Cobalt Strike as its next stage. Alert on AdFind execution and Mimikatz patterns, as these signal impending ransomware deployment. Monitor for GPO modification, scheduled task creation, and PsExec usage across multiple hosts simultaneously โ these are FIN12's primary lateral movement mechanisms.
Healthcare organizations specifically should implement segmentation between clinical networks and corporate IT infrastructure, ensuring that ransomware cannot propagate from administrative systems to clinical environments. Maintain offline, air-gapped backups of electronic health record systems.