FBI Warns of Ransomware Actors Leveraging M&A DataBad Actors Learn Victim Firms' Public, Nonpublic Data Before Attack to Increase Impact
The Federal Bureau of Investigation has issued a notification warning to private sector companies, especially those listed or in the process of being listed on stock exchanges, to be aware of ransomware actors using their undisclosed merger and acquisition data for extortion.
The #FBI assesses ransomware actors are likely using significant financial events like mergers and acquisitions to target and leverage victim companies. Review our PIN for related recommendations and steps to report a compromise. #RansomwareAware https://t.co/FAU8ATP9ZL— FBI (@FBI) November 2, 2021
In its notification, the FBI explains that ransomware is often a two-stage process: intrusion followed by reconnaissance, and then the actual infection. Of the two, reconnaissance is the most important since ransomware actors carefully select the victim based on the information gleaned from this initial phase, the notification says.
"During the initial reconnaissance phase, cybercriminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands. Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established," notes the FBI.
As organizations become more resilient to the traditional cybercriminal playbook of file encryption ransomware, the gangs will adapt their strategies to extort payouts from their attacks, says Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel.
"By exfiltrating and reviewing internal data, cybercriminals can identify information that could damage a victim’s reputation or stock price and then use the threat of public disclosure to demand a payout. As the FBI suggests, attackers will often attempt to time these threats to inflict maximal pain on their victims to further incentivize paying up," he tells Information Security Media Group.
Examples of Compromise
Citing evidence for their notification, the FBI shared several instances in which this tactic has been carried out by ransomware actors in attacks in 2020 and 2021:
The first instance it notes is from early 2020, in which a ransomware actor using the moniker Unknown posted on the Russian hacking forum Exploit that encouraged using the Nasdaq Stock Market to influence the extortion process. Malware analyst Damian shared the post with news platform Bleeping Computer. In it, the Sodinokibi/REvil operators say: "[We] have some interesting thoughts about auto-notification email addresses of stock exchanges (for example, NASDAQ), which will allow you to influence the financial condition of the company quickly and efficiently."
Following this, unidentified ransomware actors negotiating payment with a victim in a March 2020 ransomware event stated, "We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what’s gonna happen with your stocks," the FBI notes.
Between March and July 2020, at least three publicly traded U.S. companies actively involved in mergers and acquisitions were targeted with ransomware during their respective negotiations. Two of the three pending mergers were under private negotiations, according to the FBI.
A November 2020 technical analysis of Pyxie RAT, a remote access Trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim’s network, indicating an interest in the victim’s current and near-future stock share price. These keywords included:
- 10-q - a quarterly report that includes financial information;
- 10-sb - a filing form used to register the securities of small businesses who wished to trade on U.S. exchanges;
- n-csr - a form that registered management investment companies must file with the Securities and Exchange Commission within 10 days after a company disseminates annual and semi-annual reports to stockholders;
The last example that FBI notes is from April 2021, in which DarkSide ransomware actors posted a message on their blog site to show their interest in affecting a victim’s share price. The MalwareHunterTeam, a website that identifies ransomware used to encrypt victims, tweeted a screenshot taken from the threat actor's underground site that concluded, "So if I have not missed anything, they are the first ransomware group that is offering info for shorting."