FBI Warns That Ransomware Gangs Target Companies During Mergers and Acquisitions, Threatening To Disclose Non-Public Information
The Federal Bureau of Investigation (FBI) issued a private industry notification (PIN) warning that ransomware gangs were targeting companies involved in “time-sensitive financial events” like mergers and acquisitions.
According to the bureau, the gangs search for non-public financial information and threaten to publish it if the victims do not comply with ransom demands.
The agency notes that ransomware groups leverage impending events that could affect companies’ stock prices like announcements, mergers and acquisitions to force the victims to pay.
Ransomware gangs use stock market information to extort victims
The federal law enforcement agency enumerated several extortion attempts related to stock market information.
In 2020, threat actors negotiating a ransom payment threatened to leak the victim’s data to the NASDAQ stock exchange and “see what’s gonna happen” to the stocks.
These extortion attempts occurred after a threat actor using an alias “Unknown” encouraged others on the Russian hacking forum “Exploit” to use information from the NASDAQ to coerce their victims into paying the ransom.
Similarly, three publicly traded US companies involved in mergers and acquisitions fell victims to ransomware gangs between March and July 2020.
An analysis of the Pyxie remote access trojan (RAT) found that the malware variant searched for stock information using keywords like 10-q1, 10-sb2, n-csr3, Marketwired, NASDAQ, and Newswire. Threat actors use the backdoor in Defray777 and RansomEXX ransomware attacks.
Also, the Darkside ransomware gang posted a message on its data leak site stating that its “team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges.”
The group requested interested parties to make inquiries about such companies, promising that “if the company refuses to pay, we are ready to provide information before the publication.”
Similarly, REvil/Sodinokibi ransomware gang disclosed it was planning to add an auto-emailer to contact stock exchange platforms and inform them that the victim had suffered a ransomware attack.
Insider information has significant value on the underground markets. In 2015, nine people faced charges for hacking Newswire to steal unpublished corporate information. Similarly, a Californian man faced charges after allegedly selling insider information on the dark web in 2016 and 2017.
“It should come as no surprise that hackers can access all kinds of sensitive information once they’ve compromised an organization’s systems or a user’s account,” noted Ariel Zommer, Sr. Product Manager at OneLogin. ‘Financial and M&A data are some of the most proprietary information an organization can have. And with global M&A activities hitting an all-time record in 2021, ransomware gangs are – once again – demonstrating their ability to quickly adapt their tactics based on market conditions.”
Victims are more likely to pay during mergers and acquisitions
According to the FBI warning, ransomware gangs gained leverage on companies during mergers and acquisitions because the victims try to avoid investor backlash.
The ransomware gangs meticulously select their victims and adjust extortion timelines to coincide with significant financial events.
“The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.”
Erich Kron, Security Awareness Advocate at KnowBe4, noted that the timing of the attack ensures that the ransomware gangs cause the most damage.
“Timing ransomware attacks to cause disruptions at specific times to improve the chance of a payout is not a new tactic; however, for organizations involved in mergers and acquisitions, it is an important one to be aware of,” Kron continued. “Unlike early strains of ransomware that automatically and indiscriminately encrypted any files it could locate, the new versions of ransomware involve significant human action before beginning the encryption phase.”
According to the FBI, “If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.”
Jack Chapman, VP of Threat Intelligence at Egress, agrees that ransomware gangs are always looking for ways to “motivate” their victims to pay, knowing that the more pain and pressure they apply, the bigger the chance of success.
By targeting organizations in the middle of sensitive financial events such as mergers and acquisitions, ransomware gangs expect their attacks to have a higher impact because they can negatively impact the victim’s share price.
“Ransomware gangs will stop at nothing to ensure their attacks succeed – and for organizations at risk of attack, that should be a big concern,” FBI says.
However, the FBI discouraged companies from caving to those demands and report any attempted extortion to help bring the perpetrators to book. Additionally, paying the ransom encourages ransomware gangs to attack more companies involved in mergers and acquisitions using similar tactics.
Bowing to ransomware gangs’ demands does not guarantee data recovery or prevent the criminals from selling insider information to third parties. The FBI also encouraged network defenders to harden their networks to prevent ransomware gangs from gaining access.
However, the FBI acknowledged that executives face difficult choices when their businesses cannot function after an attack, advising the business leaders to consider all options to protect their shareholders, customers, and employees.
“In cases where SEC filings or regulatory bodies are involved, even if you pay the ransom, it is still a data breach once the information is stolen,” Kron explained. “Organizations, especially those coming into sensitive times such as those around a merger or acquisition, are wise to put focus on preventing these attacks by dealing with the most common attack vectors for ransomware, phishing emails, and remote access portals.”
