On September 18, 2023, the CERT-FR, which is operated by ANSSI, published a report on the FIN12 ransomware group, deemed responsible for the attack against a hospital in the French city of Brest. In March 2022, ANSSI had warned the hospital one of its servers was compromised.
Fortunately, “the hospital’s timely response made it possible to quickly isolate the computer system from the Internet and hinder attackers and their MO, preventing extraction of data and decryption of the computer system,” explains the CERT-FR.
The report notes that, since 2020, FIN12 is behind “a significant number of ransomware attacks on French soil.” In the last three years the group has used a large array of ransomware, including Ryuk then Conti, before integrating Hive, BlackCat and Nokoyawa Ransomware-as-a-Service (RaaS).
According to CERT-FR, FIN12 rarely uses double extortion, therefore seldom stealing their victims’ data. Instead the group focuses on decrypting computer systems as quickly as possible. The report shows that FIN12’s time-to-ransom – the lapse between initial intrusion and system decryption – is notably brief, around four days.