Home > List all groups > FIN12

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: FIN12

NamesFIN12 (Mandiant)
MotivationFinancial crime, Financial gain
First seen2018
Description(Mandiant) Today, Mandiant Intelligence is releasing a comprehensive report detailing FIN12, an aggressive, financially motivated threat actor behind prolific ransomware attacks since at least October 2018. FIN12 is unique among many tracked ransomware-focused actors today because they do not typically engage in multi-faceted extortion and have disproportionately impacted the healthcare sector. They are also the first FIN actor that we are promoting who specializes in a specific phase of the attack lifecycle—ransomware deployment—while relying on other threat actors for gaining initial access to victims. This specialization reflects the current ransomware ecosystem, which is comprised of various loosely affiliated actors partnering together, but not exclusively with one another.
ObservedSectors: Education, Financial, Healthcare, Manufacturing, Technology.
Countries: Australia, Canada, Colombia, France, Indonesia, Ireland, Philippines, South Korea, Spain, UAE, UK, USA.
Tools usedBazarBackdoor, Cobalt Strike, TrickBot.

Last change to this card: 02 November 2021

Download this actor card in PDF or JSON format

Previous: FIN11
Next: Fishing Elephant

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key