analyst @ nohacky :~/threat-actors $
cat / threat-actors / fin12
analyst@nohacky:~/fin12.html
active threat profile
type Ransomware / Cybercrime
threat_level HIGH
status ACTIVE
origin Russia
last_updated 2026-03-13
F12
fin12

FIN12

also known as: Pistachio Tempest DEV-0237 Storm-0230

FIN12 is an aggressive, financially motivated Russian-speaking threat actor that specializes exclusively in the ransomware deployment phase of the attack lifecycle, relying on initial access brokers rather than conducting its own intrusions. Designated by Mandiant as the first "FIN" group focused solely on ransomware, FIN12 has disproportionately targeted healthcare organizations and high-revenue enterprises with Ryuk, Conti, Hive, BlackCat, Nokoyawa, and other ransomware payloads, demonstrating a willingness to target critical care facilities that other groups have avoided.

attributed origin Russia
suspected sponsor Cybercriminal (Wizard Spider ecosystem)
first observed 2018
primary motivation Financial / Extortion
primary targets Healthcare, Manufacturing, Finance, Government
known campaigns Hundreds (20% of Mandiant IR)
mitre att&ck group G0102 (via Wizard Spider)
target regions N. America (~85%), Europe, Asia-Pacific
threat level HIGH

Overview

FIN12 is a financially motivated threat actor first designated by Mandiant in October 2021 as a distinct entity within the broader Wizard Spider/Conti cybercriminal ecosystem. Active since at least October 2018, FIN12 is notable as the first group Mandiant promoted to a named "FIN" (financially motivated) designation that specializes exclusively in a single phase of the attack lifecycle: ransomware deployment. Rather than gaining its own initial access, FIN12 purchases access from initial access brokers (IABs) and partners with malware distribution operators, including the TrickBot, BazarLoader, and Emotet ecosystems.

Microsoft tracks this actor as Pistachio Tempest (formerly DEV-0237), while MITRE ATT&CK associates FIN12 with the broader Wizard Spider group (G0102). Despite these overlapping designations, Mandiant tracks FIN12 as a distinct entity given the group's specific role in ransomware deployment, its demonstrated ability to work independently of any single malware family, and its pattern of switching between ransomware brands. Between 2018 and 2023, FIN12 deployed Ryuk, Conti, Hive, BlackCat (ALPHV), Nokoyawa, Play, Royal, Agenda, and Mindware ransomware, demonstrating remarkable adaptability.

FIN12's defining characteristic is its aggressive targeting of healthcare organizations, which accounted for nearly 20% of directly observed victims per Mandiant's reporting. The group attacked hospitals and medical facilities both before and after the October 2020 U.S. government joint alert warning of "increased and imminent" threats to healthcare. This targeting pattern deviated significantly from other ransomware operators who publicly stated intentions to avoid hospitals during the COVID-19 pandemic. FIN12's "big game hunting" approach focuses on organizations with annual revenues exceeding $300 million, with the average victim revenue around $6 billion.

Uniquely, FIN12 typically does not engage in double extortion (data theft and leak threats), instead prioritizing speed of encryption and ransom negotiation. Mandiant observed an average time to ransom of just 2.48 days in incidents without data exfiltration, compared to 12.4 days when data theft was involved. This speed-focused approach made FIN12 responsible for nearly 20% of Mandiant's ransomware incident response engagements from September 2020 onward. As of 2023, ANSSI reported FIN12/Pistachio Tempest involvement in attacks against French healthcare institutions, and the group continues to adapt its ransomware toolkit while maintaining its IAB-dependent operational model.

Target Profile

FIN12 employs a "big game hunting" strategy, preferring large organizations with annual revenues exceeding $300 million. Approximately 85% of known victims are based in North America, with expanding operations into Europe and Asia-Pacific since 2021. Victims have been identified in Australia, Colombia, France, Indonesia, Ireland, the Philippines, South Korea, Spain, the UAE, and the UK.

  • Healthcare: FIN12's defining target sector. Nearly 20% of directly observed victims operate medical facilities, including hospitals, health systems, and medical research organizations. The group continued targeting healthcare throughout the COVID-19 pandemic despite other groups' stated restraint. In 2023, ANSSI linked FIN12 to the compromise of a server at the University Hospital Center of Brest, France.
  • Manufacturing: Industrial and manufacturing companies targeted for their operational dependency on IT systems and willingness to pay ransoms to restore production. Manufacturing disruptions translate directly to revenue loss, increasing ransom payment likelihood.
  • Financial services: Banking, insurance, and financial institutions targeted for high revenue and data sensitivity. Financial sector victims meet FIN12's minimum revenue thresholds.
  • Government and public sector: Municipal governments, public agencies, and government-adjacent organizations. Local authorities and public health establishments are particularly vulnerable per ANSSI threat assessments.
  • Education: Universities and educational institutions targeted for weaker security postures relative to their data holdings. The Brest University Hospital (CHU) attack demonstrated overlap between healthcare and academic targeting.
  • Business services and technology: IT service providers, consulting firms, and technology companies. FIN12 has been observed operating simultaneously with other threat actors (such as FIN7) on the same victim system using different infrastructure.
  • Critical infrastructure and energy: In 2023, Kaspersky reported Pistachio Tempest/FIN12-linked activity targeting an African electric utility using Cobalt Strike beacons and DroxiDat (a SystemBC variant), with Nokoyawa ransomware detected in related incidents.

Tactics, Techniques & Procedures

Documented TTPs based on Mandiant's FIN12 report, Microsoft Pistachio Tempest tracking, and ANSSI advisories. FIN12's core distinction is its reliance on initial access brokers rather than conducting its own intrusions, enabling rapid ransomware deployment within hours of receiving network access.

mitre id technique description
T1078 Valid Accounts Primary initial access method. FIN12 purchases access from IABs with existing footholds via TrickBot, BazarLoader, Emotet, or IcedID infections. Also uses stolen credentials to log into Citrix environments. Activity often observed same-day as initial access campaign.
T1486 Data Encrypted for Impact Core function. Deploys ransomware (Ryuk, Conti, Hive, BlackCat, Nokoyawa, Play, Royal, Agenda, Mindware) for encryption. Prioritizes speed over stealth, achieving average time-to-ransom of 2.48 days without data theft.
T1059.001 Command and Scripting Interpreter: PowerShell Uses PowerShell for post-exploitation tasks, payload execution, and reconnaissance within compromised environments. Employed alongside Cobalt Strike for lateral movement.
T1021.002 Remote Services: SMB/Windows Admin Shares Deploys ransomware payloads via PsExec across domain-joined systems using compromised admin credentials. Standard component of FIN12's rapid deployment playbook.
T1003.001 OS Credential Dumping: LSASS Memory Uses Mimikatz for credential harvesting. ANSSI reported Mimikatz use alongside AccountRestore and SharpRoast (Kerberoasting) tools in the 2023 Brest hospital compromise.
T1490 Inhibit System Recovery Deletes Volume Shadow Copies and disables backup services before ransomware deployment. Standard pre-encryption preparation across all ransomware variants deployed by FIN12.
T1562.001 Impair Defenses: Disable or Modify Tools Disables endpoint protection and security monitoring tools before ransomware execution. Uses batch scripts and GPO modifications for domain-wide defense impairment.
T1572 Protocol Tunneling Uses SystemBC proxy bot for covert C2 communications. SystemBC deployed alongside Cobalt Strike in 2022-2023 attacks, providing encrypted SOCKS5 proxy tunneling to mask traffic.
T1055 Process Injection Cobalt Strike Beacon injected into legitimate processes for evasion. WEIRDLOOP payloads observed delivered via internal phishing campaigns from compromised user accounts.
T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting Uses SharpRoast for Kerberoasting attacks to extract service account credentials from Active Directory, enabling privilege escalation for ransomware deployment.

Known Campaigns

Confirmed or highly attributed operations linked to this threat actor. FIN12 does not name its campaigns; attribution is based on Mandiant, Microsoft, and ANSSI tracking of the group's distinct operational patterns.

Ryuk Healthcare & Enterprise Targeting 2018-2020

FIN12's initial operational phase, deploying Ryuk ransomware exclusively via TrickBot-provided access. Targeted U.S. hospitals, healthcare systems, and large enterprises with annual revenues over $300M. The October 2020 CISA/FBI/HHS joint alert warning of "increased and imminent" threats to hospitals was partly driven by FIN12 activity. Attacked Minnesota medical facilities in 2020, locking staff out of computer systems.

Conti Deployment & Access Diversification 2020-2022

After a four-month hiatus (March-August 2020), FIN12 returned with diversified initial access vectors. Transitioned from exclusive TrickBot reliance to multiple IABs including BazarLoader, Emotet, and Citrix credential brokers. Shifted primary ransomware payload to Conti. Mandiant observed FIN12 responsible for nearly 20% of their ransomware incident response engagements. Google TAG identified EXOTIC LILY as an IAB working with FIN12, sending up to 5,000 phishing emails daily to 650 organizations.

Multi-Ransomware Deployment Phase 2022-2023

Following Conti's dissolution, FIN12 rapidly adopted alternative RaaS platforms. Microsoft observed the group deploying Hive, then switching to BlackCat (ALPHV) beginning March 2022, suspected due to public discourse around Hive's decryption methodologies. Also deployed Nokoyawa, Play, Royal, Agenda, and Mindware. Demonstrated FIN12's ransomware-agnostic operational model and willingness to experiment with new platforms.

European Healthcare Expansion 2023

ANSSI reported FIN12/Pistachio Tempest involvement in the compromise of a server at the University Hospital Center (CHU) of Brest, France in March 2023. Attackers used valid healthcare professional credentials for initial backdoor access. Post-exploitation tools included Mimikatz, AccountRestore, SharpRoast, and SystemBC for C2. ANSSI noted 40% of French ransomware targets are SMEs, with 10% being health establishments.

African Critical Infrastructure Targeting 2023

Kaspersky reported Pistachio Tempest-linked activity targeting an electric utility in Africa using Cobalt Strike beacons and DroxiDat (a newer SystemBC variant). Nokoyawa ransomware detected in related incidents. Represents FIN12's expansion into critical infrastructure beyond its traditional healthcare focus.

Tools & Malware

FIN12's tool arsenal reflects its ransomware-agnostic operational model. The group switches between ransomware brands while maintaining consistent post-exploitation tradecraft.

  • Ransomware payloads (multiple): FIN12 has deployed Ryuk (2018-2020), Conti (2020-2022), Hive (2022), BlackCat/ALPHV (2022+), Nokoyawa (2022-2023), Play, Royal, Agenda, and Mindware. This diversity demonstrates the group's payload-agnostic approach and willingness to adopt whichever RaaS platform offers the best operational advantage.
  • Cobalt Strike: Primary post-exploitation framework across all campaign phases. Beacons deployed for C2, lateral movement, credential extraction, and ransomware staging. Increasingly replaced TrickBot as the post-access tool of choice after 2020.
  • SystemBC: Proxy bot providing encrypted SOCKS5 tunneling for C2 communication. Frequently deployed alongside Cobalt Strike in 2022-2023 operations. DroxiDat, a newer SystemBC variant, observed in 2023 African critical infrastructure targeting.
  • Sliver: Open-source adversary simulation framework used as alternative to Cobalt Strike. Adopted as part of the broader trend of ransomware operators diversifying post-exploitation tooling to evade Cobalt Strike-focused detections.
  • WEIRDLOOP: Custom loader payload observed in FIN12 intrusions. Delivered via internal phishing campaigns from compromised user accounts within victim environments.
  • Mimikatz: Standard credential harvesting tool for LSASS memory dumping and domain credential extraction. Complemented by AccountRestore and SharpRoast for comprehensive credential access.
  • SharpRoast: Kerberoasting tool for extracting service account password hashes from Active Directory. Used alongside Mimikatz for privilege escalation.
  • PsExec: Microsoft Sysinternals tool for remote ransomware deployment across domain-joined systems. Core component of FIN12's rapid encryption playbook.

Indicators of Compromise

FIN12-specific IOCs are challenging to isolate due to the group's use of shared malware ecosystems and rotating ransomware brands. Behavioral detection is the primary defensive approach.

warning

FIN12 switches ransomware brands frequently and relies on access brokers for initial entry, making static IOCs unreliable. Focus on behavioral patterns: rapid TTR (under 3 days), Cobalt Strike + SystemBC co-deployment, and Kerberoasting activity are stronger indicators than file hashes.

indicators of compromise — behavioral patterns
pattern Cobalt Strike + SystemBC co-deployment (FIN12 signature combination)
pattern Rapid TTR: encryption within 2-3 days of initial access without data exfiltration
pattern Initial access via TrickBot/BazarLoader/Emotet/IcedID precursor infection
credential tool Mimikatz + SharpRoast (Kerberoasting) + AccountRestore in sequence
c2 SystemBC SOCKS5 proxy alongside Cobalt Strike beacons (dual C2 channels)
initial access Citrix environment logins using purchased or stolen valid credentials

Mitigation & Defense

Healthcare organizations, large enterprises (revenue > $300M), and critical infrastructure operators are at highest risk from FIN12. The group's speed-focused model means the window between compromise and encryption is extremely narrow, making prevention and early detection critical.

  • Disrupt initial access broker chains: Deploy advanced email filtering to detect TrickBot, BazarLoader, Emotet, and IcedID delivery campaigns. Monitor for QakBot and IcedID infections as precursors to FIN12 activity. Rapid containment of precursor malware infections is the highest-leverage defense.
  • Secure Citrix and remote access environments: Enforce MFA on all Citrix, VPN, and remote access portals. FIN12 has been observed purchasing Citrix credentials from underground markets. Monitor for anomalous remote logins, especially those using healthcare professional credentials.
  • Detect Cobalt Strike and SystemBC co-deployment: FIN12's signature post-exploitation pattern is Cobalt Strike beacons operating alongside SystemBC SOCKS5 proxies. Deploy behavioral detection for both toolsets. Monitor for SOCKS5 tunneling activity from unexpected processes.
  • Monitor for Kerberoasting and credential theft: Alert on SharpRoast, Mimikatz, and AccountRestore execution. Monitor for Kerberos TGS ticket requests to service accounts with weak passwords. Implement strong passwords on all service accounts and enable AES encryption for Kerberos.
  • Reduce time-to-detect below FIN12's TTR: FIN12's average time to ransom is 2.48 days without data theft. Security operations teams must detect and respond to intrusion indicators within hours, not days. Implement 24/7 SOC monitoring with automated alerting on ransomware precursor behaviors.
  • Maintain isolated backups: FIN12 deletes Volume Shadow Copies and targets backup infrastructure before encryption. Air-gapped, offline backups tested regularly for restoration integrity are essential for recovery without ransom payment.
  • Prioritize healthcare-specific defenses: Healthcare organizations should implement CISA's healthcare ransomware guidance, segment medical device networks from corporate IT, and ensure electronic health records have independent backup and recovery capabilities.
  • Implement application allowlisting: Restrict execution of unauthorized tools including PsExec, Cobalt Strike, SystemBC, and Sliver. FIN12 relies on deploying commodity post-exploitation tools; blocking their execution significantly disrupts the attack chain.
note

FIN12/Pistachio Tempest attribution is complicated by the group's position within the broader Wizard Spider ecosystem. MITRE ATT&CK associates FIN12 as part of Wizard Spider (G0102), while Mandiant tracks it as a distinct entity. Microsoft tracks it independently as Pistachio Tempest (DEV-0237). The group's frequent switching between ransomware brands means that focusing solely on ransomware family indicators will miss FIN12 activity. Defenders should track FIN12 by its operational patterns (IAB-dependent access, speed-focused encryption without data theft, healthcare targeting, Cobalt Strike + SystemBC tooling) rather than by any single ransomware brand.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile