Organizations Attacked by Ransomware Actors During Purchasing and Merging Events, FBI Warns
The Federal Law Enforcement Agency Advises Orgs Once Again to Not Pay the Ransom.
The FBI alerts that threat actors behind ransomware campaigns are attacking organizations taking part in significant financial events such as corporate fusions and acquisitions, in order to extort their targets more easily.
On Monday, the FBI issued a private industry notification alerting that ransomware threat actors would take advantage of the financial data obtained prior to attacks as leverage to pressure victims into paying the requested ransom.
The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.
During the initial reconnaissance phase, cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands.
Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established.
As mentioned by BleepingComputer, a year ago, the REvil (Sodinokibi) cybercrime group stated that they were thinking of adding an auto-email script that would notify stock exchanges, such as NASDAQ, that organizations had been affected by ransomware to impact their stock price.
In April 2021, DarkSide ransomware declared that it will provide insider information about firms listed on the NASDAQ or other stock exchanges with traders looking to earn a quick profit by shorting the stock price.
New “press release” from DarkSide ransomware actors: “About stock traders.”
So if I not missed anything, they are the first ransomware group that is offering info for shorting.
Seriously not sure what “new” thing to expect from ransomware groups now…
cc @VK_Intel pic.twitter.com/UZqY8BmcpA
— MalwareHunterTeam (@malwrhunterteam) April 22, 2021
The FBI also gave some examples of ransomware gangs targeting vulnerable businesses using inside or public information about existing merger or acquisition discussions:
- In early 2020, a ransomware actor using the moniker “Unknown” made a post on the Russian hacking forum “Exploit” that encouraged using the NASDAQ stock exchange to influence the extortion process. Following this posting, unidentified ransomware actors negotiating a payment with a victim during a March 2020 ransomware event stated, “We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what’s gonna (sic) happen with your stocks.”
- Between March and July 2020, at least three publicly traded US companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations.
- A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim’s network indicating an interest in the victim’s current and near-future stock share price. These keywords included 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and newswire.
- In April 2021, Darkside ransomware4 actors posted a message on their blog site to show their interest in impacting a victim’s share price. The message stated, “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”
As usual, the FBI advises against paying a ransom to threat actors. Paying a ransom encourages them to target even more enterprises. Paying the ransom also does not ensure the recovery of a victim’s files.
Nevertheless, the FBI understands that when a company is unable to operate, managers might consider all options in order to protect their shareholders, staff, and clients.
Whether or not you or your company choose to pay the ransom, the FBI recommends that you report ransomware attacks to your local FBI field office.
- Back-up critical data offline;
- Ensure copies of critical data are in the cloud or on an external hard drive or storage device;
- Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides;
- Install and regularly update anti-virus or anti-malware software on all hosts;
- Only use secure networks and avoid using public Wi-Fi networks;
- Use two-factor authentication for user login credentials, use authenticator apps rather than email as actors may be in control of victim email accounts, and do not click on unsolicited attachments or links in emails;
- Implement least privilege for file, directory, and network share permissions.
How Can Heimdal™ Help?
In the fight against ransomware, Heimdal™ Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module, that is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;