IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

FIN12 Group Profile: FIN12 Prioritizes Speed To Deploy Ransomware Against High-Value Targets

FIN12: A financially motivated threat group, specializes in the post-compromise deployment of primarily RYUK ransomware. Instead of conducting multifaceted extortion, FIN12 appears to prioritize speed and higher revenue victims.

  • Since initially emerging, FIN12 has maintained close partnership with TRICKBOT-affiliated threat actors. However, FIN12 has seemingly diversified its partnerships for initial access operations, particularly in 2021.
  • FIN12 relies heavily on publicly available tools and malware to enable their operations. In nearly every single FIN12 intrusion since February 2020, FIN12 has used Cobalt Strike BEACON, but historically we have observed these threat actors also use EMPIRE and TRICKBOT as a post-exploitation tool.
  • The majority of observed FIN12 victims have been based in North America, but their regional targeting has been expanding in 2021 throughout other regions, including Europe and Asia Pacific. We have observed FIN12 victims in nearly every industry, but notably 20 percent of these organizations have been based in the healthcare sector.


FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection against the next generation of cyber attacks.