Cyber Threat Actor: FIN12
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
1 incident |
|---|
Profile
FIN12, operating under the alias Conti, is a Russia-linked cybercriminal group primarily engaged in financially motivated ransomware operations. Public reporting attributes multiple high-impact attacks to this threat actor, with a consistent focus on extortion through data encryption and exfiltration. The group’s activities align with a ransomware-as-a-service model, leveraging coordinated attacks to pressure victims into paying ransoms.
Conti’s targeting spans government entities, critical infrastructure, and private-sector organizations, with incidents demonstrating a preference for sectors where operational disruption amplifies ransom leverage. The 2022 attack on Costa Rica’s government exemplifies this strategy, compromising ministries overseeing finance, labor, social security, and public services. Conti leaked 672 GB of sensitive data—including taxpayer records and payment system details—after the government refused a $10 million ransom demand, triggering a national emergency and significant infrastructure disruption. Similarly, the group targeted TIC International Corporation, a U.S.-based insurance plan administrator, exfiltrating names, addresses, and Social Security numbers of nearly 2,000 individuals in Texas alone. These operations reflect Conti’s systematic approach to selecting victims where data sensitivity or operational criticality increases the likelihood of ransom payment. Technical infrastructure and malware artifacts from these incidents have been publicly tied to Conti’s ransomware tools, though specific initial access vectors remain undocumented in available sources.
The U.S. government has explicitly identified Conti as a Russian criminal organization, offering a $10 million bounty for information on its leadership following the Costa Rica incident. Conti’s operations are characterized by aggressive double-extortion tactics—encrypting systems while threatening to publish stolen data—as seen in both the Costa Rican government and TIC International breaches. The group’s public ransom negotiations and data leak platforms further underscore its organized criminal enterprise structure. While FIN12/Conti’s exact affiliations beyond Russia are not detailed in available reports, its consistent alignment with financially motivated cybercrime distinguishes it from espionage-focused threat groups. The scale and impact of its operations have established Conti as a persistent threat to global organizations, particularly those in government and essential services.
