FIN12

Threat Actor updated a month ago (2024-11-29T14:36:39.544Z)
Download STIX
Preview STIX
FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware attacks, notably on U.S. hospitals in 2020. However, it has since broadened its targeting range. A unique aspect of FIN12's operations is its simultaneous activity with other threat actors like FIN7 on the same victim system, utilizing different infrastructure and tradecraft, which highlights the challenges of technical attribution for cybercriminal threats. FIN12 has been particularly active against the healthcare industry, as reported by the HHS in 2022. In one notable incident, the group used valid credentials belonging to a healthcare professional to gain backdoor access to a French hospital's network in Brest. They employ tools such as SystemBC alongside Cobalt Strike or CS Beacon to deploy ransomware. Additionally, DAVESHELL, a tool used by nearly 30 threat groups including FIN12, has been observed loading DICELOADER in a manner unique to a small cluster of threat activity. The group is linked to Wizard Spider, a financially motivated hacking group, and has shown connections to Exotic Lily, a Russian financially-motivated cybercrime group. Furthermore, research has identified over two dozen different threat actors, including FIN12, hosting command-and-control (C2) servers on Cloudzy infrastructure. This diverse list includes Chinese, Indian, Iranian, North Korean, Pakistani, Russian, Vietnamese actors, Israeli spyware vendor Candiru, and various cybercriminal groups. These associations underscore the interconnected nature of the cybercrime landscape and the significant threat posed by FIN12.
Description last updated: 2024-06-24T19:16:58.395Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Pistachio Tempest is a possible alias for FIN12. Pistachio Tempest, also known as FIN12, is a threat actor that has been identified as a significant cybersecurity risk, particularly to the healthcare industry. According to a report by the U.S. Department of Health and Human Services (HHS) in 2022, this group has specifically targeted healthcare en
3
Wizard Spider is a possible alias for FIN12. Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a prominent cybercrime group. As per IBM Security X-Force's research, this threat actor is responsible for developing several crypters and has been expanding the number and variety of channels it uses to distribu
2
EXOTIC LILY is a possible alias for FIN12. Exotic Lily, an initial access broker (IAB), has been active since at least September 2021. The entity conducts highly sophisticated phishing campaigns to gain initial access to organizations and then sells this access to other threat actors, including ransomware groups. A notable example of their m
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Beacon
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Conti Malware is associated with FIN12. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personaUnspecified
2
The Systembc Malware is associated with FIN12. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage fUnspecified
2