Home Governance Ransomware Operators Leverage Financial Events Like M&A to Pressurize Victims: FBI

Ransomware Operators Leverage Financial Events Like M&A to Pressurize Victims: FBI

The FBI has released a notification stating that threat actors are leveraging critical financial events like mergers and acquisitions to target organizations for ransomware attack.


The FBI released a notification identifying the use of critical financial events and stock valuation to facilitate targeting and extortion of victims by ransomware groups.

Threat actors are now going beyond network and data vulnerability and leveraging an organization’s financial and market vulnerabilities. The FBI has assessed that the adversaries use significant financial events, such as mergers and acquisitions, to launch ransomware attacks.

“Threat ransomware actors are targeting companies involved in significant, time-sensitive financial events to incentivize ransom payment by these victims. Ransomware is often a two-stage process beginning with an initial intrusion through a Trojan malware, which allows an access broker to perform reconnaissance and determine how to best monetize the access,” the FBI said.

Threat actors scout for confidential, non-public information of the target and coerce the victim to relent to the ransom demands. The victims, in most cases, would concede as they are amid a significant financial event like stock valuation or a merger and acquisition, whereby the consequences of any leaked information could heavily impact the stock value of the company.

The FBI listed multiple ransomware cases from 2020 and 2021:

  • In early 2020, a ransomware actor using the moniker “Unknown” made a post on the Russian hacking forum “Exploit” that encouraged using the NASDAQ stock exchange to influence the extortion process. Following this posting, unidentified ransomware actors negotiating a payment with a victim during a March 2020 ransomware event stated, “We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what’s gonna happen with your stocks.”
  • Between March and July 2020, at least three publicly traded US companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations.
  • A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim’s network indicating an interest in the victim’s current and near future stock share price.
  • In April 2021, Darkside ransomware actors posted a message on their blog site to show their interest in impacting a victim’s share price. The message stated, “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”

Evolving Ransomware Techniques

From new malware variants to different hacking methods, threat actors constantly change their approaches to encrypt victims’ data and pressurize them into paying the ransom. To prove their power, the operators behind the Darkside ransomware group announced that they are leveraging new extortion tactics by targeting companies that are listed stock markets like NASDAQ. As reported in April 2021, the Darkside operators stated they are coaxing certain crooked stockbrokers to use insider information of their corporate targets to short-sell a victim company’s stock before disclosing the breach or leak any data. The operators believed that the impact of posting a traded company’s name on its website would cause the victim company’s stock price to fall and help insider traders make profits.

See also: Darkside Ransomware Gang Adopts New Extortion Technique by Targeting Stock Traders

Not conceding to ransom demands has been echoed by experts and authorities across industries, yet the victims’ willingness to pay for their compromised data has been the primary reason why we continue to see a surge in the attacks.

“Paying a ransom emboldens adversaries to target additional organizations, encourages other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under US law,” the FBI added.

FBI Recommends

  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks.
  • Use two-factor authentication for user login credentials, use authenticator apps rather than email as actors may be in control of victim email accounts, and do not click on unsolicited attachments or links in emails.
  • Implement least privilege for file, directory, and network share permissions.

Bill-Alderson_HopzeroIn an exclusive quote to CISO MAG, Bill Alderson, CTO, HOPZERO, said, “Sadly, the NSA, CIA, and FBI all losing their lawful intercept tools to hackers increased technical ability greatly.  As with any monetization method – they are increasing their market by simple research to find high stakes, high-visibility situations they can exploit. All is not lost.  Hackers are not omniscient, omnipotent, or omnipresent, as those technically deficient might think, that only AI can fix data compromise. And by AI Security success, those are easy pickings.  My solution rests with hop starvation reducing the attack surface of vital servers by over 99% reducing risk while catching ransomware and phish – hooking-em, cooking-em, and frying-em up in a pan.”