The US has warned that ransomware hacking groups are now targeting companies involved in “significant, time-sensitive financial events” and people to whose private financial information they have gained access.
In the latest advisory to private firms, the Federal Bureau of Investigation (FBI) said that ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.
“Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash,” the FBI said in its report.
During the initial reconnaissance phase, cybercriminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands.
If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.
The FBI said it had identified several cases of ransomware groups using the information on an ongoing merger or acquisition negotiation to put pressure on the firms to pay up.
In early 2020, a ransomware actor using the moniker “Unknown” made a post on the Russian hacking forum “Exploit” that encouraged using the NASDAQ stock exchange to influence the extortion process.
Following this, unidentified ransomware actors negotiating payment with a victim during a March 2020 ransomware event stated: “We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the NASDAQ and we will see what’s gonna (sic) happen with your stocks.”
Between March and July 2020, at least three publicly traded US companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations.
In April this year, Darkside ransomware actors posted a message on their blog site to show their interest in impacting a victim’s share price.
The message stated: “Now our team and partners encrypt many companies that are trading on Nasdaq and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn a reduction in the price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”
The FBI said that paying a ransom emboldens adversaries to target additional organizations, encourages other criminal actors to distribute ransomware, and/or may fund illicit activities.
Paying the ransom also does not guarantee that a victim’s files will be recovered.
“However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers,” it said.