Ransomware Groups Tying Attacks To ‘Crucial Financial Events’

According to a new FBI assessment, ransomware gangs are increasingly utilizing “important financial events” as leverage in their operations.

According to the FBI, ransomware gangs target corporations and force them to pay the ransom through events such as acquisitions and mergers.

“Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash,” the FBI wrote. 

“Ransomware actors are targeting companies involved in significant, time-sensitive financial events to incentivize ransom payment by these victims. Ransomware is often a two-stage process beginning with an initial intrusion through a trojan malware, which allows an access broker to perform reconnaissance and determine how to best monetize the access.” 

While ransomware gangs indiscriminately disseminate software, they frequently deliberately pick their victims based on the data collected from the first attacks, according to the FBI.

The gangs look for non-public material and then blackmail firms by threatening to reveal the papers before significant financial events, intending to put victims under pressure to pay ransoms.

The FBI discovered that the organizations hunt for data or information that they know would impact a company’s stock price and “adjust their timeline for extortion.”

The law enforcement agency cited many cases in which ransomware attackers pushed others to use the NASDAQ stock exchange as a type of bellwether for the extortion operation. The FBI claimed it discovered a post in Exploit, a famous Russian hacker site, from a well-known ransomware actor named “Unknown” instructing other ransomware gangs to use this strategy.

The FBI included a verbatim quotation from a ransomware gang negotiating with a target in March 2020 in the warning.

“We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the NASDAQ and we will see what’s gonna (sic) happen with your stocks,” the group told the victim during the negotiation. 

The FBI reported that between July and March of 2020, at least three publicly listed US corporations were targeted by ransomware gangs while they went through the merger and acquisition process.

Two of the three were privately discussing payment settlements, indicating that the ransomware gangs had gotten access to sensitive material.

“A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim’s network indicating an interest in the victim’s current and near-future stock share price. These keywords included 10-q, 10-sb, N-CSR, NASDAQ, Marketwired, and newswire,” the FBI explained. 

The FBI shared another message from Darkside ransomware actors in April that said, “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges.” 

“If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn at the reduced price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information,” the ransomware group wrote on its blog.

According to Allan Liska of Recorded Future, what the FBI is saying has been going on for quite some time.

He mentioned how REvil expressly addressed leveraging stock valuation and merger activities as extortion strategies during ransomware assaults, and how the DarkSide ransomware gang did the same.

“However, what the FBI is reporting is an escalation of these tactics. We know that ransomware groups monitor news stories closely, it sounds like they are now using information gathered from the news to target specific companies during financially sensitive times (such as a merger or public offering),” Liska said.

“Outside of a few industries, we aren’t used to thinking of ransomware attacks as ‘targeted,’ in a traditional sense. But, if the FBI report is accurate, ransomware groups are going after specific companies during this period. If I were a company planning for IPO or a merger, I would closely monitor underground forums for stolen credentials and ensure that I am being extra cautious about security during that period.”

According to a new Comparitech study, ransomware assaults have a transient impact on company stock prices and financial health.

According to the report, the share price of a firm decreased 22 percent on average immediately following a ransomware assault. However, the survey discovered that the decrease typically lasts between one and ten days. Finally, the survey concluded that the majority of ransomware attacks had little impact on victim businesses.

“Despite data loss, downtime, and possibly paying a ransom or fine or both, share prices for attacked companies continue to outperform the market following a very brief drop. Even cybersecurity firms themselves seem insulated from any prolonged dip in share price when their own cybersecurity fails in the face of a ransomware attack,” Comparitech’s Paul Bischoff said. 

“The exception is Ryuk ransomware, which had a more severe negative impact on share price than other types of ransomware. Data breaches have a larger and lengthier negative impact on share price than ransomware, according to our other study, but only marginally so. And bear in mind that these two attacks are often combined.”

According to Brett Callow, a ransomware specialist and Emsisoft threat researcher, ransomware assailants are using every bit of leverage they can get, whether it’s using bots to enhance their attacks on Twitter, doing press outreach, contacting customers, or, according to this alert, using non-public information obtained during the reconnaissance phase of attacks to further pressure victims.

“We’ve also seen incidents in which actors appeared to have delayed encrypting compromised networks until it was closer to the time of a significant event. None of this is surprising,” Callow said. 

“The gangs’ tactics have become progressively extreme over the last couple of years and, unfortunately, that’s not likely to change any time soon.”