FIN12 Gets Faster at Encrypting Networks, Mean Dwell Times Reduce

Some stats your way

• The global median dwell time dropped down to 21 days in 2021 from 24 days in 2020.
• Last year, 55% of intrusions had dwell times of 30 days or less, while 67% of these were discovered in a week or less.
• Ransomware attacks accounted for 23% of all intrusions in 2021 and had a dwell time of five days.
• The average dwell time of FIN12 intrusions has dropped to two days from five days.
• While only 3.8% of malware families were used in more than 10 intrusions, 81% were used in only a couple of intrusions.
• The firm has tracked more than 700 new malware families, of which 86% were not publicly available. The top categories of new malware families include backdoors (31%), downloaders (13%), droppers (13%), ransomware (7%), launchers (5%), and credential stealers (5%).

Why this matters

• One reason why the attack life cycle of FIN12 has been shortened is that the gang does not focus on stealing confidential data before triggering the ransomware attack.
• The group is highly successful because it specially chooses easy targets to extort ransoms from.
• The diversification in malware families has become pretty prominent as adversaries keep evolving their strategies and toolsets.

More on FIN12

• While the ransomware actor primarily focuses on victims in North America, Mandiant has warned that it can target more victims across the globe.
• Among its many methods to infiltrate networks, some common ones include gaining access via previous infections, such as BazarLoader or TrickBot.
• FIN12 campaigns have, moreover, been found leveraging legitimate passwords and usernames to log into virtual environments. Researchers surmise that the attackers may have bought them from underground forums.
• Throughout last year, the threat actor used Ryuk, Beacon, SystemBC, and Metasploit to conduct some high-profile intrusions.

The bottom line