FBI: Ransomware Gangs Exploiting Corporate Financial Events to Facilitate Extortion

Share this article on:

Ransomware gangs often use double extortion tactics to encourage victims to pay the ransom. In addition to file encryption, sensitive data are stolen and a threat is issued to sell or publish the data if the ransom is not paid. The Federal Bureau of Investigation (FBI) has recently issued a private industry notification warning of a new extortion tactic, where ransomware gangs target companies and organizations that are involved in significant time-sensitive financial events, steal sensitive financial data, then threaten to publish that information if payment is not made.

Ransomware gangs conduct extensive research on their victims before launching an attack, which includes gathering publicly available data and nonpublic material. The attacks are then timed to coincide with the release of quarterly earnings reports, SEC filings, initial public offerings, and merger and acquisition activity, with the release of information having the potential to significantly affect the victim’s stock value.

“During the initial reconnaissance phase, cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands,” explained the FBI. “Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established.”

Several ransomware operations are known to steal sensitive data and sift through that information to find potentially damaging material. The REvil and Darkside ransomware gangs have both issued threats to contact stock exchanges such as NASDAQ to advise them about a current ransomware attack and provide damaging information to tank share prices.

“Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information,” said the Darkside ransomware gang in an April 2021 post on their blog site.

The FBI lists some attacks where companies have been targeted that were undergoing mergers or acquisitions. For example, in early 2020, a ransomware actor with the moniker “Unknown” posted on the Russian “Exploit” hacking forum that a good way to force victims to pay the ransom was to reference their presence on the NASDAQ stock exchange and threaten to leak data to NASDAQ to tank share prices. That advice was followed by several threat actors. Between March 2020 and July 2020, at least three publicly traded US companies that were actively involved in mergers and acquisitions were targeted, two of which were undergoing private negotiations.

Threat actors known to deploy the Pyxie Remote Access Trojan (RAT) before using the Defray777 and RansomEXX ransomware variants were searching for information on victims’ current and near-future stock values in the initial phases of the attacks. A November 2020 analysis of the Trojan revealed keyword searches for terms such as 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and newswire.

To prevent attacks and ensure data recovery is possible without paying a ransom, the FBI recommends regularly backing up data and storing it offline, installing and regularly updating antivirus software, making sure all software is kept up to date, adopting the least privilege approach and network segmentation, only using secure networks for connections, and implementing multi-factor authentication.

The FBI doesn’t recommend paying a ransom as it emboldens adversaries to target additional organizations, encourages other threat actors to conduct ransomware attacks, and there is no guarantee that payment will result in data recovery. However, the FBI understands that businesses faced with an inability to function will likely evaluate all options to protect their shareholders, employees, and customers. Regardless of the decision taken, the FBI encourages all ransomware victims to report attacks to their local FBI field office.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On