Ransomware actors use financial events to target companies

Ransomware actors are using significant, time-sensitive financial events, such as mergers and acquisitions, to target and leverage victim companies, according to the Federal Bureau of Investigation (FBI) recent Private Industry Notification (PIN).

Before an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not quickly pay a ransom, ransomware actors threaten to publicly disclose this information, causing potential investor backlash.

The FBI says that these significant events that affect a victim’s stock value encourage ransomware actors to target a network or adjust their timeline for extortion where access is established.

In early 2020, the FBI said, a ransomware actor using the moniker “Unknown” posted on the Russian hacking forum “Exploit” that encouraged using the NASDAQ stock exchange to influence the extortion process. Following this posting, unidentified ransomware actors negotiating payment with a victim during a March 2020 ransomware event stated, “We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what’s gonna (sic) happen with your stocks.”

Between March and July 2020, at least three publicly traded U.S. companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations.

A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim’s network indicating an interest in the victim’s current and near-future stock share price. These keywords included 10-q, 10-sb, n-csr, nasdaq, marketwired, and newswire.

In April 2021, Darkside ransomware actors posted a message on their blog site to show their interest in impacting a victim’s share price. The message stated, “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”

Cybercrime is on the rise — with ransomware attacks up more than 100% over the past year, says Kevin Dunne, President at Pathlock. “Much of the growth is due to the fact that these attacks have been largely unprosecuted in the past. Bad actors can make off with large sums of money, while the risk of being caught is slim to none. Ensuring that there is a semblance of real risk to these attacks is essential in deterring them from happening in the first place. Typically the data being sought out by attackers — sensitive data that can be used to extort and/or embarrass — is housed in strategic business applications, such as ERP and HR systems. This highlights the need for established controls and rulesets for how user roles in those systems and applications are designed, provisioned, and continually enforced. Misconfigured, over-entitled and orphaned accounts are often the most vulnerable to ransomware attacks — all of which can be regularly audited for, to minimize risk.”

Hank Schless, Senior Manager, Security Solutions at Lookout, says, “Ransomware attacks tend to have a common attack chain at a high level regardless of who is carrying them out. Very often, attackers use a phishing campaign to steal an employee’s login credentials to gain access without setting off any alarms. Another approach is to compromise the user’s device to install malware like a remote access trojan to enable access that goes undetected. Once the attacker gains access through one of these approaches, they move laterally throughout the infrastructure until they find valuable data to exfiltrate or encrypt as part of their ransomware attack.”

The FBI reminded organizations that the agency does not encourage paying a ransom to criminal actors at it possibly encourages adversaries to target other organizations, inspires other criminal actors to engage in the distribution of ransomware, and/or may fund further illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered, the FBI said.

“However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers,” the PIN said. “Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law.”

The FBI also provided the following recommendations:

Back-up critical data offline.
Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides.
Install and regularly update anti-virus or anti-malware software on all hosts.
Only use secure networks and avoid using public Wi-Fi networks.
Use two-factor authentication for user login credentials. Use authenticator apps rather than email as actors may control victim email accounts and do not click on unsolicited attachments or links in emails.
Implement least privilege for file, directory, and network share permissions.
Review the following additional resources.

The joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
The Cybersecurity and Infrastructure Security Agency-Multi-State Information Sharing & Analysis Center Joint Ransomware Guide covers additional best practices and ways to prevent, protect, and respond to a ransomware attack.
StopRansomware.gov is the U.S. Government’s official one-stop location for resources to tackle ransomware more effectively.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.