With the intense reactions of the US government and the abrupt end of TrickBot, ransomware operators have turned to Asia and escalated their ambitions.

Remember the RYUK ransomware attacks targeting hospitals and healthcare organizations in North America last year? The threat groups behind the attacks were using RYUK ransomware via Trickbot as the delivery mechanism.

Then, when Microsoft disrupted the Trickbot infrastructure, the ransomware groups went into hiding as they sought out a new delivery mechanism.

However, under the watchful eyes of a global threat intelligence team, the groups’ re-emergence has not gone undetected. Instead, the status of one ransomware actor, UNC1838 has now been escalated to that of an aggressive ‘financially motivated actor’ (FIN) and given the “12” suffix for chronological tagging.

According to Yihao Lim, a threat intelligence advisor with Mandiant (APAC): “Organizations targeted in the Asia Pacific have an average annual revenue of US$14.5bn, much higher than targets in Europe (US$7.4bn) and North America (US$5.7bn). While the higher annual revenue in APAC targets could be a case of collection bias and extreme outliers from the threat actor perspective, it is clear that organizations in APAC can ‘afford to pay’. Given the increased pressure by the US government to sanction and hunt down ransomware groups, it could lead to a shift in focus to APAC region where regulations are still premature and less coherent.”

How UNC1878 became FIN12

Since 2018, threat intelligence teams from Mandiant have been eyeing incident response data and years of threat analyses to piece together a fuller picture of what drives cybercriminal groups.

After the spate of RYUK-based hospital and healthcare attacks between Oct 2018 and Mar 2020 using Trickbot as a delivery mechanism subsided, Mandiant researchers noted that UNC1838 had gone into hiding. Then, in Sep 2020, new incidents were spotted using BAZARDLOADER and BAZARBACKDOOR as the Trickbot replacement.

The use of common infrastructure, code signing certificates, droppers and overlaps in distribution tactics, techniques and procedures (TTPs) led the researchers to believe that the new ransomware was likely developed under the direction of common threat actors.

Furthermore, unlike other actors who were branching out into other forms of extortion, “this group focused purely on ransomware, moving faster than its peers and hitting big targets. They are behind several attacks on the healthcare system and they focus heavily on high-revenue victims,” according to Kimberly Goody, Director of Financial Crime Analysis, Mandiant.

Consequently, the firm has upgraded the threat group UNC1878 to the status of FIN12, indicating its expansion beyond North American to APAC, including Australia, Indonesia, the Philipines and South Korea.

What it all means to APAC

In its latest report profiling FIN12 and the impact of the findings, Mandiant threat researchers have offered the outlook and implications of more ransomware groups escalating to financially motivated agendas:

  • It has become relatively common for bad actors to specialize in specific stages of the attack lifecycle and for groups to outsource different aspects of their operations to other actors. This trend has been particularly evident in ransomware operations in recent years, including those conducted by FIN12.
  • In the first half of 2021, as compared to 2020, FIN12 was able to significantly improve their TTR, cutting it in half to just 2.5 days. FIN12 has also seemingly made a deliberate choice to prioritize speed, rather than engage in data theft extortion.
  • However, it is plausible that these threat actors may evolve their operations to more frequently incorporate data theft in the future. For example, FIN12 could identify certain industries that weigh the threat of data exposure more heavily than downtime caused by a ransomware attack and choose to employ this tactic against those targets deemed to be of high value.
  • FIN12 has been observed to have started to work more closely with an increasingly diverse group of partners. If FIN12 closely aligns itself with another ransomware service that maintains a shaming site, these threat actors may begin to incorporate data theft into their ransomware operations more frequently.
  • FIN12 is expected to broaden their regional targeting due to the significant pushback from the US government. This elevated, unwanted attention may make FIN12 shift their attention to organizations operating in other areas of the world including nations in Western Europe and the Asia Pacific region.

Concluded Steve Ledzian, VP, CTO (APAC), Mandiant: “As the US government further prioritizes addressing the ransomware threat across a variety of means including sanctions, FIN12 and other ransomware groups may accelerate shifting targeting focus to other regions including Asia Pacific.” 

Organizations can preempt RYUK ransomware threats or any other cyberattacks by strengthening employee cyber awareness training, following zero trust and data protection best practices, and collaborating on threat intelligence activities within their industries, among many other facets of bolsterings cybersecurity.