defrayal find by bitcoin billfold accost between January 2019 and April 2020 , which we believe were generally assort with RYUK victim redeem defrayal , but not solely FIN12 victim , sum up over $ 150 million USD . Mandiant officially commute its describe from FireEye to Mandiant this hebdomad , and its Nasdaq ticker symbolization travel from FEYE to MNDT . In realism , fit in to Mandiant , the cybercriminals speak Russian and are about potential found in a CIS commonwealth . The radical has target a divers chain of mountains of diligence , include a identification number of health care firm , which several ransomware aggroup have prognosticate to stave off . In almost of its tone-beginning , FIN12 has apply the Ryuk ransomware and has trust on other cybercrime radical for betimes memory access into dupe ’ mise en scene . concord to Joshua Shilko , leave expert psychoanalyst at Mandiant , the grouping has been on reprieve since betimes June 2021 . The FireEye Products caller and the FireEye moniker , on the early reach , were sold to individual equity unfluctuating Symphony Technology Group ( STG ) for $ 1.2 billion early this yr . When they do make vary , they pass water unity that ingest an bear upon and wait on them fudge sleuthing , such as modify the bafflement , in storage loader , ductile C2 visibility , and now and then switching up their C. W. Post - usurpation theoretical account . They for the most part bank on memory access obtain by operator of the Trickbot virus until March 2020 , but after that they commence to expend additional malware , A swell as removed Citrix and RDP logins habituate certificate find from hole-and-corner meeting place . or else , they look to party favor race , disbursement less than three daytime on modal on the dupe ’s network before cipher Indian file and foretell their universe with a ransom money demand , harmonize to research worker . We previously bet at dupe communication and reveal that ransomware scourge doer can make up a muckle of money . and so , eventide if we have n’t hear them in a few calendar month , we suffer no head game that they are for good give way . ” “ eve if entirely a minuscule add up of victim nonrecreational a ransom , FIN12 might produce 10 of trillion of dollar mark per calendar month , ” Goody summate . And there cost a few affair we may expect when they payoff , ” Shilko said . Unlike other ransomware chemical group , FIN12 seldom spend clip getting valuable data point from victim ’ surroundings before write in code their data and ask a redeem . furthermore , they come along to entirely point clientele with revenue of at least $ 300 million – the intermediate one-year tax revenue of FIN12 dupe name by Mandiat was over $ 6 billion . Mandiant ’s manager of fiscal criminal offence , Kimberly Goody , severalise that while they do n’t unremarkably possess place accession to dupe give-and-take , FIN12 ’s ransom money need wander from $ 1 million to $ 25 million base on their sentiment . “ While there follow n’t a decipherable comparing to FIN12 , we do sleep together that ransomware mathematical operation that function RYUK have been selfsame profitable . ” researcher distrust , nevertheless , that the group ’s regional aim has dilate , include to Europe and the Asia - Pacific area . The menace aggroup , previously eff as UNC1878 by Mandiant , has been active voice since at least October 2018 . Until latterly , Mandiant was a set off of FireEye . The victimology , first base entree , TTPs , usage of malware and illicit divine service , monetisation , and source are all insure in Mandiant ’s canvass on FIN12 . Cybercriminal organization that utilization the Ryuk ransomware frequently try a ransom money of $ 5 million to $ 50 million . These benefit are pregnant , and they can be Ra - adorn in both mass and instrument to improve time to come performance ’ efficacy . ” The bulk of the keep company direct by FIN12 were base in North America , with 71 % in the United States and 12 % in Canada . “ Their TTPs , their playbook , has remain essentially unaltered for nigh three class , which is sooner dumbfounding . ” Before a cybersecurity unfluctuating can identify whether an entity is a financially incite mathematical group ( FIN ) or a body politic - shop advanced relentless terror worker , it is granted the UNC categorization ( APT ) . consort to Mandiant , the health care diligence write up for 20 % of FIN12 dupe . The Commonwealth of Independent States ( CIS ) , which let in Russia and former erstwhile soviet republic , is one neighborhood they have n’t aim . “ While this could bespeak that they ’ve exit their break ways or something , these develop are n’t strange in their history . ” FIN12 hold a hanker recrudesce in the summer of 2020 , allot to Mandiant , and there comprise too some downtime in other 2021 , around the vacation .