It is a well-known fact that the majority of ransomware actors are spending time on the victim network looking for important data to steal.
FIN12 has been a prolific threat actor with a strong focus on making money who has carried out ransomware attacks since at least October 2018.
FIN12 is different from other ransomware gangs because it skips the data exfiltration step, which is used by other ransomware gangs to increase their chances of getting paid.
It seems that most ransomware gangs that also steal data have a median stay duration on the victim’s network of five days, with an average value of 12.4 days.
With FIN12, the average time spent on the victim network decreased year after year,