Cyber experts warn of ‘aggressive’ threat actor targeting healthcare

Analysts from Mandiant Intelligence say FIN12 has been behind multiple ransomware attacks on hospitals and other provider organizations dating back at least to October 2018.

The security firm Mandiant Intelligence has raised the alarm about FIN12, the threat actor behind ransomware attacks disproportionately affecting the healthcare sector.  

Mandiant characterized FIN12 as “aggressive” and “financially motivated,” specializing in ransomware deployment while relying on other bad actors to gain access to victims.  

“FIN12’s operations provide illustration that no target is off limits when it comes to ransomware attacks, including those that provide critical care functions,” wrote researchers in the report.   

“Almost 20% of directly observed FIN12 victims were in the healthcare industry, and many of these organizations operate medical facilities,” they added.  


According to Mandiant, FIN12-orchestrated ransomware attacks reach back years, to at least October 2018.  

It specializes in the deployment of primarily RYUK ransomware, appearing to prioritize speed and higher-revenue victims. Notably, FIN12 does not generally steal victim data or leverage it for extortion.   

“However, it is plausible that these threat actors may evolve their operations to more frequently incorporate data theft in the future,” acknowledged report authors.  

Although the group appears to be “relatively industry agnostic,” they said, its actions have had a greater impact in the healthcare industry.   

“Given that many actors refuse to target this industry, it may also be easier or cheaper to obtain access to healthcare organizations,” according to the report. “However, by targeting healthcare facilities, FIN12 may face increased scrutiny from law enforcement agencies as well as potential partners that wish to limit public exposure.  

“While many threat actors prohibit targeting of hospitals, others likely target healthcare facilities because they believe that these organizations are more likely to pay ransom demands.”  

Nearly 85% of the group’s known victims have been in North America, but there are some indicators that the regional targeting is expanding.  

“We suspect that FIN12 is likely [composed] of Russian-speaking actors who may be located in countries in the Commonwealth of Independent States,” said the report authors. “FIN12 has not targeted CIS-based organizations and identified partners, and all currently identified RYUK users have spoken Russian.”  

Mandiant experts emphasized the importance of paying attention to intrusion actors such as FIN12, particularly given their tendency to switch between ransomware “brands.”   

“The shifting nature of these allegiances is a key reason for why intrusion operators such as FIN12 are important for security teams and organizations to understand and track rather than maintaining an exclusive focus on the brands and ransomware families these operators choose to distribute at a given moment,” they said.  


The U.S. government and cyber experts have sounded the alarm about a variety of ransomware outfits in the past few months, including Conti, BlackMatter and LockBit.  

Meanwhile, legislators have begun to move toward shoring up critical infrastructure organizations’ cybersecurity defenses, either with the carrot of more resources or the stick of attack or payment reporting mandates.  


“We track FIN12 as a distinct threat actor given their specific role in the deployment of ransomware, their ability to work independently of these families, and our observations of other distinct threat actors who also deploy ransomware using accesses obtained via these malware ecosystems,” read the Mandiant report.

Kat Jercich is senior editor of Healthcare IT News.Twitter:@kjercichEmail:kjercich@himss.orgHealthcare IT News is a HIMSS Media publication.

Leave a Reply

Your email address will not be published. Required fields are marked *