Ransomware groups frequently utilize double extortion techniques to compel victims to give ransom payments. Besides file encryption, they steal sensitive information and issue a threat to sell or post the stolen information when no ransom is paid. The Federal Bureau of Investigation (FBI) has recently released a private industry advisory regarding a new extortion strategy, where ransomware groups attack businesses and organizations that are engaged in important time-sensitive financial activities, steal sensitive financial information, then threaten to expose that data when payment isn’t made.
Ransomware groups perform substantial research on their victims prior to starting an attack, including collecting publicly accessible information and nonpublic content. The attacks are then scheduled to match the launch of quarterly revenue reports, preliminary public offerings, SEC filings, and merger and purchase activity, with the release of data that have the potential to considerably impact the stock value of the victim.
The FBI explains that during the preliminary reconnaissance stage, cybercriminals determine non-publicly available data, which they will use as a threat to expose or utilize as leverage at the time of the extortion to lure victims to give their ransom demands. Upcoming events that can impact the stock value of a victim, for example, announcements, mergers, and acquisitions motivate ransomware groups to attack a network or change their extortion schedule where access is obtained.
A number of ransomware operations steal sensitive information and sort through that data to look for potentially harmful stuff. The REvil and Darkside ransomware groups have both threatened stock exchanges like NASDAQ to tell them about an existing ransomware attack and get harmful data to tank the prices of shares.
The Darkside ransomware gang wrote in a blog post that they encrypt a lot of businesses that are investing on NASDAQ as well as other stock exchanges. When the business declines to pay, they give information prior to the publication, and so it’s possible to gain at the lowered price of shares.
The FBI has a listing of some attacks that targeted organizations going through mergers or purchases. For instance, in the beginning of 2020, a ransomware actor with the nickname “Unknown” shared on the Russian “Exploit” hacking community forum that a great way to pressure victims to give the ransom was to point out their position on the NASDAQ stock exchange and threaten to expose information to NASDAQ to tank the prices of shares. Several threat actors followed that tip. From March 2020 to July 2020, about 3 publicly traded US firms that were actively engaged in mergers and acquisitions were attacked, the two were having private talks.
Threat actors that use the Pyxie Remote Access Trojan (RAT) prior to utilizing the RansomEXX and Defray777 ransomware variants were looking for data on victims’ present and near-future stock values in the preliminary stages of the attacks. A November 2020 study of the Trojan showed keyword queries for phrases like 10-q1, n-csr3, 10-sb2, newswire, NASDAQ, and Marketwired.
To avoid attacks and make sure data restoration is possible with no ransom payment, the FBI advises consistently backing up information and keeping it off the internet, installing and routinely updating antivirus software programs, ensuring all software is updated, using the least privilege strategy and network segmentation, merely utilizing secure networks for internet connections, and employing multi-factor authentication.
The FBI does not advise paying a ransom as it encourages attackers to target more businesses, encourages other cybercriminals to perform ransomware attacks, and there’s no assurance of data recovery after payment. Nonetheless, the FBI knows that businesses confronted with an inability to operate will probably assess all alternatives to secure their shareholders, personnel, and clients. Irrespective of the decision made, the FBI urges all ransomware victims to send attack reports to the nearest FBI field office.