It is a well-known fact that the majority of ransomware actors are spending time on the victim network looking for important data to steal.
FIN12 does not follow this course of action as they mostly go with quick malware deployment against sensitive, high-value targets.
FIN12 has been a prolific threat actor with a strong focus on making money who has carried out ransomware attacks since at least October 2018.
As explained by BleepingComputer, the gang collaborates closely with the TrickBot gang and preys on high-value victims (above $300 million) in a range of sectors and locations throughout the world.
FIN12 is different from other ransomware gangs because it skips the data exfiltration step, which is used by other ransomware gangs to increase their chances of getting paid.
This feature allows the gang to carry out attacks faster than past ransomware groups, taking less than two days from the first infiltration to file encryption.
It seems that most ransomware gangs that also steal data have a median stay duration on the victim’s network of five days, with an average value of 12.4 days.
With FIN12, the average time spent on the victim network decreased year after year,