An “aggressive” financially motivated threat actor has been identified as linked to a string of RYUK ransomware attacks since October 2018, while maintaining close partnerships with TrickBot-affiliated threat actors and using a publicly available arsenal of tools such as Cobalt Strike Beacon payloads to interact with victim networks.
Cybersecurity firm Mandiant attributed the intrusions to a Russian-speaking hacker group codenamed FIN12, and previously tracked as UNC1878, with a disproportionate focus on healthcare organizations with more than $300 million in revenue, among others, including education, financial, manufacturing, and technology sectors, located in North America, Europe, and the Asia Pacific.
“FIN12 relies on partners to obtain initial access to victim environments,” Mandiant researchers said. “Notably, instead of conducting multifaceted extortion, a tactic widely adopted by other ransomware threat actors, FIN12 appears to prioritize speed and higher revenue victims.”
The use of initial access brokers to facilitate ransomware deployments isn’t new. In June 2021, findings from enterprise security company Proofpoint revealed that ransomware actors are increasingly…