FBI: Ransomware groups tying attacks to 'significant financial events'

The FBI has sent out a notice saying ransomware groups often link their attacks to IPOs and mergers and acquisitions as a way to pressure companies.
Written by Jonathan Greig, Contributor

The FBI released a new report saying ransomware groups are increasingly using "significant financial events" as leverage during their attacks.

According to the FBI, ransomware groups are using events like mergers and acquisitions to target companies and force them into paying ransoms. 

"Prior to an attack, ransomware actors research publicly available information, such as a victim's stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash," the FBI wrote. 

"Ransomware actors are targeting companies involved in significant, time-sensitive financial events to incentivize ransom payment by these victims. Ransomware is often a two-stage process beginning with an initial intrusion through a trojan malware, which allows an access broker to perform reconnaissance and determine how to best monetize the access." 

The FBI noted that while ransomware groups indiscriminately distribute malware, they often carefully select their victims based on the information they get from initial intrusions.  

The gangs search for non-public information and then threaten companies by saying they will release the documents ahead of important financial events, hoping the pressure will prompt victims to pay ransoms. 

See alsoPhishing attacks are harder to spot on your smartphone | Toronto subways hit by ransomware | Businesses don't talk about being victims of cyberattacks. That needs to change

The groups look for data or information that they know will affect a company's stock price and "adjust their timeline for extortion," the FBI found. 

The law enforcement agency highlighted multiple instances where ransomware actors themselves urged others to use the NASDAQ stock exchange as a sort of bellwether for the extortion process. The FBI said it found a post from a well-known ransomware actor named "Unknown" in Exploit -- a popular Russian hacking forum -- urging other ransomware groups to follow this method.

In the notice, the FBI shared a direct quote from a ransomware group negotiating with a victim in March 2020.

"We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what's gonna (sic) happen with your stocks," the group told the victim during the negotiation. 

The FBI noted that from March to July in 2020, at least three publicly traded US companies were attacked by ransomware groups as they were going through the process of a merger and acquisition.

Two of the three were negotiating the financial deals privately, indicating the ransomware groups had gained access to confidential data. 

"A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim's network indicating an interest in the victim's current and near-future stock share price. These keywords included 10-q, 10-sb, n-csr, nasdaq, marketwired, and newswire," the FBI explained. 

The FBI shared another message from Darkside ransomware actors in April that said, "Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges." 

"If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in 'Contact Us' and we will provide you with detailed information," the ransomware group wrote on its blog.

Recorded Future's Allan Liska told ZDNet that what the FBI is describing has been going on for a while. 

He noted that REvil specifically discussed using stock valuation and merger activity as extortion techniques during ransomware attacks and the DarkSide ransomware group did the same thing. 

"However, what the FBI is reporting is an escalation of these tactics. We know that ransomware groups monitor news stories closely, it sounds like they are now using information gathered from the news to target specific companies during financially sensitive times (such as a merger or public offering)," Liska said.

"Outside of a few industries, we aren't used to thinking of ransomware attacks as 'targeted,' in a traditional sense. But, if the FBI report is accurate, ransomware groups are going after specific companies during this period. If I were a company planning for IPO or a merger, I would closely monitor underground forums for stolen credentials and ensure that I am being extra cautious about security during that period."

A recent study from Comparitech showed that ransomware attacks do have some temporary effect on the stock price and financial health of companies.

The study showed that right after a ransomware attack, the share prices of a company fell 22% on average. But the report found that the dip often lasts anywhere from one day to 10 days. In the end, the report said most ransomware attacks did not have a big effect on victim companies.

"Despite data loss, downtime, and possibly paying a ransom or fine or both, share prices for attacked companies continue to outperform the market following a very brief drop. Even cybersecurity firms themselves seem insulated from any prolonged dip in share price when their own cybersecurity fails in the face of a ransomware attack," Comparitech's Paul Bischoff said. 

"The exception is Ryuk ransomware, which had a more severe negative impact on share price than other types of ransomware. Data breaches have a larger and lengthier negative impact on share price than ransomware, according to our other study, but only marginally so. And bear in mind that these two attacks are often combined."

Ransomware expert and Emsisoft threat analyst Brett Callow told ZDNet that ransomware actors use every bit of leverage they can possibly get -- whether that's using bots to promote their attacks on Twitter, doing press outreach, contacting customers or, per this alert, using non-public information obtained during the reconnaissance phase of attacks to further pressure victims. 

"We've also seen incidents in which actors appeared to have delayed encrypting compromised networks until it was closer to the time of a significant event. None of this is surprising," Callow said. 

"The gangs' tactics have become progressively extreme over the last couple of years and, unfortunately, that's not likely to change any time soon."

Editorial standards