FBI: Ransomware Attacks Exploit Financial Business Events

The Federal Bureau of Investigation (FBI) this week issued an industry-wide notification to raise awareness about ransomware operators leveraging information on mergers, acquisitions and stock valuations to launch extortion attacks on businesses.

Ransomware actors are known for performing extensive research prior to launching an attack on victims, using publicly available information, along with material non-public data. Should the victim refrain from paying the ransom, the attackers threaten to disclose the gathered information publicly, thus attempting to extort the victim, the FBI warned.

“Ransomware actors are targeting companies involved in significant, time-sensitive financial events to incentivize ransom payment by these victims,” it added.

The FBI said ransomware victims are often carefully selected from a pool of entities  infected by an access broker with Trojan malware that is usually mass distributed.

The selection is performed based on initial reconnaissance during which non-publicly available information is identified and harvested to be used as leverage during the extortion phase.

“Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established,” according to the FBI advisory.

The Bureau also warns of incidents in which threat actors threatened to leak private data to the NASDAQ stock exchange, claiming it would affect the victim stock price.

[ READ: FBI Publishes Indicators of Compromise for Ranzy Locker Ransomware ] 

Three publicly traded U.S. companies were targeted by ransomware between March and July 2020 while they were under active mergers and acquisitions negotiations. Two of the negotiations were private.

A November 2020 analysis of Pyxie RAT, a piece of malware that often leads to Defray777/RansomEXX ransomware infections, revealed that the adversaries were searching a victim’s network for keywords related to current and near future stock share price.

Darkside ransomware operators in April 2021 posted on their blog site a message indicating interest in negatively impacting their victims’ share prices.

The FBI encourages organizations to keep their data securely backed up offline, to ensure their software is updated at all times, to employ anti-malware software, to implement a least privilege approach and network segmentation, to use two-factor authentication, and to always use secure networks for connections.

Related: FBI Publishes IOCs for Hello Kitty Ransomware

Related: FBI Publishes Indicators of Compromise for Ranzy Locker Ransomware