FBI Warns That Ransomware Gangs Target Companies During Mergers and Acquisitions, Threatening To Disclose Non-Public Information
The Federal Bureau of Investigation (FBI) issued a private sector notice (PIN) warning that gangs of ransomware are targeting companies involved in “time-sensitive financial events” such as mergers and acquisitions.
According to the bureau, the gangs are searching for non-public financial information and threatening to publish it if victims fail to comply with the ransom demands.
The agency notes that ransomware groups are using upcoming events that could affect company stock prices, such as announcements, mergers and acquisitions, to force victims to pay.
Ransomware gangs use stock market information to blackmail victims
The federal law enforcement agency listed several blackmail attempts in connection with stock market information.
In 2020, threat actors negotiating a ransom payment threatened to share the victim’s details on the NASDAQ exchange and “see what will happen to the stocks.”
These blackmail attempts came after a threat actor under the pseudonym “Unknown” encouraged others on the Russian hacker forum “Exploit” to use information from NASDAQ to force their victims to pay the ransom.
Similarly, three US publicly traded companies involved in mergers and acquisitions fell victim to ransomware gangs between March and July 2020.
An analysis by the Pyxie Remote Access Trojans (RAT) found that the malware variant searched for stock information using keywords such as 10-q1, 10-sb2, n-csr3, Marketwired, NASDAQ and Newswire. Threat actors use the backdoor in Defray777 and RansomEXX ransomware attacks.
In addition, the Darkside ransomware gang posted a message on their data leak site that said their “team and partners are encrypting many companies trading on NASDAQ and other exchanges.”
The group encouraged interested parties to inquire about such companies and promised that “if the company refuses to pay, we will be ready to provide information in advance of publication.”
Similarly, the REvil / Sodinokibi ransomware gang announced that they plan to add an automatic emailer to contact exchange platforms and inform them that the victim has suffered a ransomware attack.
Inside information has significant value in the underground markets. In 2015, nine people were charged with hacking Newswire to steal unpublished company information. Similarly, a Californian was charged after allegedly selling inside information on the dark web in 2016 and 2017.
“It should come as no surprise that hackers can gain access to all kinds of sensitive information once they compromise a company’s systems or a user account,” said Ariel Zommer, Sr. Product Manager at OneLogin. “Financial and M&A data are some of the most secure pieces of information a company can have. And as global M&A activity hit a new record in 2021, ransomware gangs are proving – once again – their ability to quickly adapt their tactics to market conditions. “
Victims are more likely to pay in mergers and acquisitions
According to the FBI warning, gangs of ransomware have taken hold of companies in mergers and acquisitions as the victims try to avoid a backlash from investors.
The ransomware gangs meticulously select their victims and adapt extortion deadlines to significant financial events.
“The FBI believes that ransomware actors are very likely to use significant financial events such as mergers and acquisitions to target and exploit victim companies for ransomware infections.”
Erich Kron, Security Awareness Advocate at KnowBe4, noted that timing of the attack ensures that the ransomware gangs do the most damage.
“Timing ransomware attacks to cause disruption at certain times to improve the likelihood of a payout is not a new tactic. However, it is important for companies involved in mergers and acquisitions to be aware of this, ”continued Kron. “Unlike early strains of ransomware, which automatically and indiscriminately encrypted all files found, the new versions of ransomware require significant human intervention before the encryption phase begins.”
According to the FBI: “If victims don’t pay the ransom quickly, ransomware actors threaten to publish this information publicly, leading to a possible backlash from investors.”
Jack Chapman, VP of Threat Intelligence at Egress, agrees that gangs of ransomware are always looking for ways to “motivate” their victims to pay, knowing that the more pain and pressure they exert, the greater the chances of success.
As gangs of ransomware target companies in sensitive financial events like mergers and acquisitions, they expect greater impact as they can negatively impact the victim’s stock price.
“Ransomware gangs will stop at nothing to make sure their attacks are successful – and this should be a big problem for organizations at risk of attack,” said the FBI.
However, the FBI stopped companies from giving in to these demands and reporting any attempts at extortion to bring the perpetrators to justice. Additionally, paying the ransom encourages ransomware gangs to use similar tactics to attack more companies involved in mergers and acquisitions.
Bowing to the demands of ransomware gangs does not guarantee data recovery or prevent criminals from selling inside information to third parties. The FBI also encouraged network defenders to harden their networks to prevent gangs of ransomware from gaining access.
However, the FBI acknowledged that executives face tough decisions when their businesses cease to function after an attack, and advised corporate leaders to consider all options to protect their shareholders, customers, and employees.
“In cases where SEC filings or regulators are involved, even if the ransom is paid, once the information has been stolen, it is still a data breach,” explained Kron. “Organizations, especially those in sensitive times like a merger or acquisition, should focus on preventing these attacks by addressing the most common attack vectors for ransomware, phishing emails, and remote access portals.”