One of the toughest ransomware groups operating today has no qualms about attacking healthcare organizations. In fact, it purposely targets healthcare and other large organizations in education, finance, manufacturing and technology. A recent report from Mandiant, a cybersecurity services firm, details the history, techniques and growth of a group called FIN12.
“FIN12 is unique…because they do not typically engage in multi-faceted extortion and have disproportionately impacted the healthcare sector.”
Cybersecurity Attacks Aided by Other Ransomware Threat Actors
Unlike most ransomware threat actors, they have repeatedly targeted healthcare organizations. Almost 20 percent of the FIN12 targets have been in the healthcare industry and many of them operate medical facilities. They are also the first threat actor highlighted by Mandiant that specializes in a specific phase of the attack lifecycle—ransomware deployment—while relying on other threat actors to gain initial access to their victims. According to the report:
“This specialization reflects the current ransomware ecosystem, which is comprised of various loosely affiliated actors partnering together, but not exclusively with one another.”
This specialization makes FIN12 especially threatening. By teaming up with other criminal groups, they are able to break in to more organizations and act more quickly, according to Mandiant. They are also unpredictable and difficult to identify because their access is enabled by other groups using common tools. They don’t necessarily have a unique identifying “signature”.
The Mandiant report explains that FIN12 was operating since at least 2018, before the October, 2020 joint alert from multiple federal agencies (HHS, CISA and the FBI) warning of an “increased and imminent” threat to hospitals, medical facilities and the public health sector. Although FIN12 first focussed on North America, over the past year it has expanded into Europe and the Asia Pacific region.
This targeting pattern is harsher than some other ransomware groups who at least said they would hold back from targeting hospitals, especially during the COVID-19 pandemic. But threat actors known as Ryuk, Conti, Trickbot, BazarLoader and FIN12 had no such qualms and continued, even amped up their attacks, taking advantage of a healthcare system stressed by the pandemic.
HIPAA Risk Management can Prevent Ransomware
Our advice is to follow HIPAA because it’s a blueprint to prevent ransomware, and provides steps to follow in the event an attack gets through in spite of your efforts.
Advice from CISA, the FBI and HHS highlight:
- Keep operating systems, software, and applications current and up-to-date.
- Make sure anti-virus and anti-malware solutions are set to automatically update and run regular scans.
- Back up data regularly and double-check that those backups were completed.
- Secure the backups. Make sure they are not connected to the computers and networks they are backing up.
- Create a continuity plan to manage in the aftermath of a ransomware attack.
HIPAA also requires regular workforce training to help employees learn to recognize cyber attacks, and strategies to avoid or prevent them.
Here are five simple steps you can take now to fight back against the bad guys. Or check out the HIPAA Security Rule Checklist in The HIPAA E-Tool®. We can show you stronger defenses and better compliance.