The Federal Bureau of Investigation (FBI) warns that gangs of ransomware are targeting companies involved in “time sensitive financial events” such as corporate mergers and acquisitions to facilitate blackmailing of their victims.
In a private sector notice released Monday, the FBI said ransomware operators would use financial information gathered prior to the attack as leverage to force victims to meet ransom demands.
“The FBI believes that ransomware actors are very likely to use significant financial events such as mergers and acquisitions to attack victim companies for ransomware infections,” said the federal police.
“During the initial investigation phase, cyber criminals identify non-public information that they threatened to divulge or use as leverage during the extortion process to get victims to comply with ransom demands,” the FBI added.
“Threatening events that could affect a victim’s stock value, such as announcements, mergers and acquisitions, encourage ransomware actors to target a network or adjust their extortion timeline if access is made.”
Gangs of ransomware attack victims’ stock prices
For example, ransomware gang REvil (Sodinokibi) said last year it was considering adding an automated email script that would contact exchanges like NASDAQ to notify them that companies have been hit by ransomware for their To influence share price.
REvil also searches stolen data after corporate servers are breached to find malicious information that could be used to force its victims to pay the ransom.
Recently, DarkSide ransomware announced that it would be giving inside information about companies trading on NASDAQ or other stock markets to traders looking to short the stock price for a quick profit.
The FBI also shared several cases in which ransomware groups have used internal or public information about ongoing merger or acquisition negotiations to target vulnerable companies:
- At the beginning of 2020, a ransomware player with the nickname “Unknown” published a post in the Russian hacking forum “Exploit”, which called for people to use the NASDAQ exchange to influence the extortion process. Following this release, unidentified ransomware actors negotiating a payment with a victim during a ransomware event in March 2020 stated, “We also determined that you have stocks and see what will happen to your stocks.”
- Between March and July 2020, at least three US publicly traded companies that were actively involved in mergers and acquisitions fell victim to ransomware during their respective negotiations. Of the three pending mergers, two were in private negotiations.
- A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777 / RansomEXX ransomware infections, found multiple keyword searches on a victim’s network that indicated an interest in the victim’s current and close stock price. These keywords included 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and Newswire.
- In April 2021, Darkside ransomware4 actors posted a message on their blog site to express their interest in influencing a victim’s stock price. The message reads: “Now our team and our partners are encrypting many companies that are traded on NASDAQ and other exchanges. If the company refuses to pay, we will be ready to provide information prior to publication so that it would be possible to include in the reduction price of the share. Write to us under ‘Contact’ and we will inform you in detail. “
Paying ransom is not welcome
The FBI says it does not encourage and discourages paying ransomware to ransomware gangs as it is not guaranteed that paying will protect them from data breaches or future attacks.
Paying the ransom motivates the criminals behind ransomware operations to target even more victims and gives more cybercriminals an incentive to follow their example and join them in engaging in illegal activities.
However, the FBI recognizes the damage a ransomware attack can do to a company, as executives may be forced to pay a ransomware actor to protect shareholders, customers, or employees. The FBI strongly recommends reporting such incidents to the local FBI field office.
The FBI also put in place measures to assist system administrators and cybersecurity professionals in protecting networks from attempted ransomware attacks.