Skip to content

Illustration by Security Management

Ransomware Actors Use Financial Events to Select Targets

As companies consider mergers and acquisitions, risk management and security professionals perform their due diligence into assets, valuations, and vulnerabilities. Ransomware actors are doing the same.

According to a new Private Industry Notification (PIN) from the FBI, ransomware actors are likely using significant financial events like mergers or acquisitions to target and leverage victim companies for ransomware infections—threatening to disclose nonpublic financial information that could trigger investor backlash if victims do not pay up promptly.

“Ransomware actors are targeting companies involved in significant, time-sensitive financial events to incentivize ransom payment by these victims,” the PIN said. “Ransomware is often a two-stage process beginning with an initial intrusion through a trojan malware, which allows an access broker to perform reconnaissance and determine how to best monetize the access. However, while this malware is often mass distributed, most victims of trojans are not also victims of ransomware, indicating ransomware targets are often carefully selected from a pool based on information gleaned from the initial reconnaissance.”

“During the initial reconnaissance phase, cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands,” the FBI continued. “Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established.”

The PIN included several examples to support the warning, such as recommendations from ransomware actors on hacking forums to use the NASDAQ stock exchange to influence the extortion process and threatening victims that the actors could impact their company share prices.

Between March and July 2020, the FBI said at least three publicly traded U.S. companies actively involved in mergers and acquisitions were ransomware victims during negotiations. Out of the three, two were under private negotiations.

Cybersecurity companies were quick to comment on the news. Josh Brewton, vCISO for Cyvatar, said that “this criminal tactic is nothing new. Criminals have utilized geographic location, high social status, and evidence of big-ticket purchases to target victims. Criminals are using similar cybercrime tactics to target their next victim. These tactics ensure victims have the means to pay out a ransom and are large enough to be forced to consider the public perception of how an incident is handled. Organizations need to consider the cost of the initial ransom requested and the cost of a damaged public image or leaked proprietary information to a competitor. There are many different driving factors, but they all end at the same point—the need for a secure and resilient network utilizing defense-in-depth to minimize the possibility of such events.”

One potential reason for attackers to target companies in the M&A process or those that are accruing notable venture capital (VC) funds is the availability of ready cash to pay ransoms, in addition to the added threat of disclosing sensitive information.

“Ransomware attackers are increasingly going after profit, using their attacks to target companies who have had a run-up in their stock price, or who have received significant VC funding,” said Saryu Nayyar, CEO at Gurucul in a statement. “These enterprises may have money to use to pay ransomware attackers based on ready cash. Attackers often find that it’s easier to pay for non-public information rather than make that information available to the world. Enterprises can be stuck between paying attackers versus making public potentially material information.”

According to Erich Kron, security awareness advocate for KnowBe4, “It is not unusual for attackers to know how much cash you have available, how much insurance you carry, and even if you are involved in a merger or acquisition, as they review financial documents prior to unleashing the encryption malware. In some cases, these groups will wait until a holiday weekend when staffing is likely to be slim and reaction times are slowed by people leaving town or being unavailable.

“In cases where [U.S. Securities and Exchange Commission] filings or regulatory bodies are involved, even if you pay the ransom, it is still a data breach once the information is stolen,” he said. “Organizations, especially those coming into sensitive times such as those around a merger or acquisition, are wise to put focus on preventing these attacks by dealing with the most common attack vectors for ransomware—phishing emails and remote access portals. Training users and testing them with simulated phishing attacks, allowing them to become more proficient at spotting and reporting these attacks, is a key method to lower risk of infection, as is ensuring remote access portals are monitored for brute force attacks, and require multifactor authentication (MFA) for any user logins."

The FBI notification reminded companies that the Bureau does not encourage paying ransoms to criminal actors, as paying up emboldens cybercriminals to continue targeting companies and it does not guarantee the safe return of files.

“However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers," the PIN said. "Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to your local field office."