FBI says ransomware gangs are using future merger and acquisition info to pressure victims

The US Federal Bureau of Investigation says that several ransomware gangs have used financial information, such as stock valuations and upcoming mergers and acquisitions, to put pressure on victims and force them into paying large ransom demands.

"During the initial reconnaissance phase, cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands," the FBI said in a Private Industry Notification (PIN) it sent out on Monday [PDF].

"Impending events that could affect a victim's stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established," the agency added.

The FBI said it found evidence of several ransomware groups using this tactic in attacks carried out throughout 2020 and 2021:

• In early 2020, a ransomware actor using the moniker "Unknown" made a post on the Russian hacking forum "Exploit" that encouraged using the NASDAQ stock exchange to influence the extortion process. Following this posting, unidentified ransomware actors negotiating a payment with a victim during a March 2020 ransomware event stated, "We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what's gonna (sic) happen with your stocks."
• Between March and July 2020, at least three publicly traded US companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations.
• A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim's network indicating an interest in the victim's current and near future stock share price. These keywords included 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and newswire.
• In April 2021, Darkside ransomware actors posted a message on their blog site to show their interest in impacting a victim's share price. The message stated, "Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in 'Contact Us' and we will provide you with detailed information."

In addition to these examples, starting this summer, the operators of the Pysa (Mespinoza) ransomware have also started using a Powershell script to search their victims' networks for financial-related information they could steal and use in their extortion tactic.

The FBI urged organizations not to cave into these tactics and ransom demands, but the agency also added that it "understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers."

In these cases, the agency urged victims to at least report the extortion and ransom payment to their local FBI field office, so the agency can keep track of attacks and possibly hold ransomware groups accountable for their actions in a future legal case.