FBI says ransomware groups are using private financial information to further extort victims
The FBI has warned that ransomware groups are targeting companies involved in “significant, time-sensitive financial events,” like mergers and acquisitions, in an effort to coerce victims into paying their ransom demands.
In an advisory to private companies this week, the FBI said that cybercriminals often try to find non-public information when targeting companies involved in major financial events, which cybercriminals can threaten to publish if they don’t pay the ransom demand.
“During the initial reconnaissance phase, cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands. Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established,” the FBI said.
“If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.”
“Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established,” the advisory said.
The FBI said it has identified several cases of ransomware groups using information on an ongoing merger or acquisition negotiation to put pressure on organizations to pay up.
Last year, a long-time member of the REvil ransomware group encouraged using the Nasdaq stock exchange as a way to strong-arm victims into paying up. Weeks later, another ransomware group cited a victim’s publicly traded stock in its negotiations with the company. Later that year, an analysis of another ransomware attack identified several keywords used by the hackers to search a victim’s network for non-public financial information related to financial filings with regulators and upcoming press releases, according to the FBI.
In April this year, the DarkSide ransomware group — since rebranded as BlackMatter — announced that it was looking to work with market traders to punish victims that failed to pay up. In a message posted to its now-defunct blog, they urged traders to reach out and receive the inside scoop on the gang’s latest corporate victims, so they can short sell their stock before any data is leaked and the news goes public.
“Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges,” a post from the Russian hacking collective read. “If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price [sic] of shares.”
The FBI has long urged organizations not to give in to cybercriminals’ ransom demands as it “emboldens” the hackers to target additional organizations and funds other criminal activity, but noted that it “understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
The warning comes just weeks after the FBI — along with CISA and the NSA — warned that the aforementioned BlackMatter ransomware group has targeted “multiple” organizations deemed critical infrastructure, including two organizations in the U.S. food and agriculture sector.