FBI: Ransomware Targets Companies During Mergers and Acquisitions
The Federal Bureau of Investigation (FBI) warns that ransomware gangs are targeting companies involved in “time-sensitive financial events” such as corporate mergers and acquisitions to make it easier to extort their victims.
In a private industry notification published on Monday, the FBI said ransomware operators would use the financial information collected before attacks as leverage to force victims to comply with ransom demands.
“The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections,” the federal law enforcement agency said.
“During the initial reconnaissance phase, cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands,” the FBI added.
“Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established.”
Ransomware gangs target victims’ stock price
For instance, last year, the REvil (Sodinokibi) ransomware gang said they were considering adding an auto-email script that would reach out to stock exchanges, such as NASDAQ, to let them know that companies were hit by ransomware to impact their stock price.
REvil is also sifting through stolen data after breaching companies’ servers to find damaging information that can be used to force their victims into paying the ransoms.
More recently, DarkSide ransomware announced that they would share insider info on companies trading on NASDAQ or other stock markets with traders who want to short the stock price to make a quick profit.
The FBI also shared several instances when ransomware groups have used inside or public info of ongoing merger or acquisition negotiations to target vulnerable companies:
- In early 2020, a ransomware actor using the moniker “Unknown” made a post on the Russian hacking forum “Exploit” that encouraged using the NASDAQ stock exchange to influence the extortion process. Following this posting, unidentified ransomware actors negotiating a payment with a victim during a March 2020 ransomware event stated, “We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what’s gonna (sic) happen with your stocks.”
- Between March and July 2020, at least three publicly traded US companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations.
- A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim’s network indicating an interest in the victim’s current and near-future stock share price. These keywords included 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and newswire.
- In April 2021, Darkside ransomware4 actors posted a message on their blog site to show their interest in impacting a victim’s share price. The message stated, “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”
Paying ransoms not encouraged
The FBI says that it does not encourage paying a ransom to ransomware gangs and advises companies against it as it’s not guaranteed that paying will protect them from data leaks or future attacks.
Paying ransoms motivates the criminals behind ransomware operations to target even more victims and incentivizes more cybercrime groups to follow their lead and join them in conducting illegal activities.
However, the FBI recognizes the damage a ransomware attack can do to a business since executives may be forced to consider paying a ransomware actor to protect shareholders, customers, or employees. The FBI strongly recommends reporting such incidents to their local FBI field office.
The FBI also provided measures to help system admins and cybersecurity professionals guard the networks against ransomware attack attempts.