FIN12 was identified to be the group behind RYUK ransomware attacks

FIN12 cybercrime group RYUK ransomware cyberattacks

Cybersecurity researchers have identified the cybercrime group that executed the RYUK ransomware to be FIN12. RYUK ransomware targets big organizations with average revenue of at least $6 billion. Compared to other ransomware gangs, FIN12 deploys its ransomware as fast as 2.5 days. Its main targets include healthcare organizations. 


FIN12 is a ransomware gang that focuses on gaining a significant profit, which is made possible due to how fast they execute the attacks.


According to researchers, this cybercrime gang appears to be a Russian-speaking group. They seem to be experts on the ransomware process while letting the initial attack stages to other groups. Most of their reported victims are located in North America, but they have also executed some ransomware attacks in Europe and the Asia Pacific. At least 20% of this group’s victims are healthcare institutions. 

New policy initiatives have been released by the US government authorities to end ransomware cybercrimes. The Department of Justice (DoJ) initiated a National Cryptocurrency Enforcement Team to stop the illegal use of cryptocurrency. This aim is due to that cryptocurrency is used as a payment mode option by cybercrime groups.  

In May, President Joe Bidden has announced an executive order concerning cybersecurity following the issue of the Colonial Pipeline attack. Security authorities have also added that the US government is enhancing its efforts to stop ransomware attacks. 

However, authorities find it challenging to unmask the masterminds behind some attacks due to a layered model of the threat process. According to researchers, the real brains of the attack could be somebody else aside from the code writers, FIN12, or other attack deployment groups. The criminal masterminds determine the targets and then communicate with fellow cybercriminals to execute the attacks toward the targets. 

Security researchers acknowledge that layered attack model regarding how FIN12 performs a fast ransomware attack since the group can focus only on the attack execution. FIN12’s specialization in a single stage of the attack life cycle enables them to do it faster. 

Moreover, researchers fear that these threat actors may develop their operation process more in the future. Cybercrime groups like FIN12 can find specific industries that are more focused on the threat of data exposure rather than the downtime caused by their cyber-attack.  

About the author


Leave a Reply