Mandiant published its M-Trends 2022 report, in which researchers examined ransomware attacks by the infamous FIN12 gang. Moreover, the researchers found that the median attacker dwell time has gone down. The investigation was conducted from October 1, 2020, to December 31, 2021.

Some stats your way

  • The global median dwell time dropped down to 21 days in 2021 from 24 days in 2020.
  • Last year, 55% of intrusions had dwell times of 30 days or less, while 67% of these were discovered in a week or less.
  • Ransomware attacks accounted for 23% of all intrusions in 2021 and had a dwell time of five days.
  • The average dwell time of FIN12 intrusions has dropped to two days from five days.
  • While only 3.8% of malware families were used in more than 10 intrusions, 81% were used in only a couple of intrusions.
  • The firm has tracked more than 700 new malware families, of which 86% were not publicly available. The top categories of new malware families include backdoors (31%), downloaders (13%), droppers (13%), ransomware (7%), launchers (5%), and credential stealers (5%).

Why this matters

  • One reason why the attack life cycle of FIN12 has been shortened is that the gang does not focus on stealing confidential data before triggering the ransomware attack.
  • The group is highly successful because it specially chooses easy targets to extort ransoms from.
  • The diversification in malware families has become pretty prominent as adversaries keep evolving their strategies and toolsets.

More on FIN12

  • While the ransomware actor primarily focuses on victims in North America, Mandiant has warned that it can target more victims across the globe.
  • Among its many methods to infiltrate networks, some common ones include gaining access via previous infections, such as BazarLoader or TrickBot.
  • FIN12 campaigns have, moreover, been found leveraging legitimate passwords and usernames to log into virtual environments. Researchers surmise that the attackers may have bought them from underground forums.
  • Throughout last year, the threat actor used Ryuk, Beacon, SystemBC, and Metasploit to conduct some high-profile intrusions.

The bottom line

The cyber threat landscape is growing every day as new attack surfaces spawn. Although median dwell times are reducing because of better detection, the use of ransomware and multifaceted extortion keeps growing. As the barrier to entry is lowered, researchers expect the threat to grow and affect more organizations.

Cyware Publisher