The Federal Bureau of Investigation (FBI) this week issued an industry-wide notification to raise awareness about ransomware operators leveraging information on mergers, acquisitions and stock valuations to launch extortion attacks on businesses.
Ransomware actors are known for performing extensive research prior to launching an attack on victims, using publicly available information, along with material non-public data. Should the victim refrain from paying the ransom, the attackers threaten to disclose the gathered information publicly, thus attempting to extort the victim, the FBI warned.
“Ransomware actors are targeting companies involved in significant, time-sensitive financial events to incentivize ransom payment by these victims,” it added.
The FBI said ransomware victims are often carefully selected from a pool of entities infected by an access broker with Trojan malware that is usually mass distributed.
The selection is performed based on initial reconnaissance during which non-publicly available information is identified and harvested to be used as leverage during the extortion phase.
“Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established,” according to the FBI advisory.
The Bureau also warns of incidents in which threat actors threatened to leak private data to the NASDAQ stock exchange, claiming it would affect the victim stock price.
[ READ: FBI Publishes Indicators of Compromise for Ranzy Locker Ransomware ]
Three publicly traded U.S. companies were targeted by ransomware between March and July 2020 while they were under active mergers and acquisitions negotiations. Two of the negotiations were private.
A November 2020 analysis of Pyxie RAT, a piece of malware that often leads to Defray777/RansomEXX ransomware infections, revealed that the adversaries were searching a victim’s network for keywords related to current and near future stock share price.
Darkside ransomware operators in April 2021 posted on their blog site a message indicating interest in negatively impacting their victims’ share prices.
The FBI encourages organizations to keep their data securely backed up offline, to ensure their software is updated at all times, to employ anti-malware software, to implement a least privilege approach and network segmentation, to use two-factor authentication, and to always use secure networks for connections.
Related: FBI Publishes IOCs for Hello Kitty Ransomware
Related: FBI Publishes Indicators of Compromise for Ranzy Locker Ransomware

More from Ionut Arghire
- Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data
- Russia-Linked APT29 Uses New Malware in Embassy Attacks
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- 820k Impacted by Data Breach at Zacks Investment Research
- US Government Agencies Warn of Malicious Use of Remote Management Software
Latest News
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data
- Russia-Linked APT29 Uses New Malware in Embassy Attacks
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
