Ransomware gangs leaking sensitive financial information to extort organizations
Attackers will threaten to release confidential data that could affect a company’s stock price to pressure them to pay the ransom, says the FBI.
Ransomware operators will stoop to any tactic necessary to try to force their victims to acquiesce to the ransom demands. One popular tactic is double extortion in which the attackers threaten to publish the stolen data unless the ransom is paid. Now some criminal gangs have devised a twist on that type of ploy. In a new report published Monday, the FBI warns of attacks in which ransomware groups will leak sensitive information that could impact a company’s stock price if the ransom goes unpaid.
SEE: Infographic: The 5 phases of a ransomware attack (TechRepublic)
Before launching an actual attack, ransomware operators will research the intended victim to find public and nonpublic information that they can leverage. Such information could include details about impending mergers or acquisitions and other sensitive business or financial actions.
Unless the ransom is paid following the attack, the criminals threaten to leak this information publicly, thereby affecting the stock price or creating a backlash among investors.
“It is not unusual for attackers to know how much cash you have available, how much insurance you carry and even if you are involved in a merger or acquisition, as they review financial documents prior to unleashing the encryption malware,” said KnowBe4 Security Awareness Advocate Erich Kron. “In some cases, these groups will wait until a holiday weekend when staffing is likely to be slim and reaction times are slowed by people leaving town or being unavailable.”
SEE: Hackers are getting better at their jobs, but people are getting better at prevention (TechRepublic)
In its report, the FBI described a few actual ransomware incidents in which the attackers used or threatened to use this tactic.
In 2020, a ransomware operator posted a note on a Russian hacking forum urging hackers to use the NASDAQ stock exchange to extort public companies. A couple of months later, a ransomware attacker negotiating with a victim sent them the following warning: “We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what’s gonna (sic) happen with your stocks.”
Also in 2020, at least three public companies in the U.S. involved in mergers and acquisitions were hit by ransomware attacks while conducting talks to hammer out the details. For two of these companies, the talks were private.
In November 2020, an analysis of a remote access trojan dubbed Pyxie RAT, which often precedes a ransomware attack, found several keywords in a search of a victim’s network. These words included 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and newswire.
In April of 2021, Darkside ransomware operators posted an update on their blog site with a tactic designed to hurt a company’s stock price. The post stated: “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
Whether to pay the ransom is a difficult decision that every victimized organization must make. In its report, the FBI reiterated that it does not recommend paying the ransom as doing so encourages these types of criminals and doesn’t guarantee that the encrypted files will be decrypted. Whatever decision an organization makes, however, the FBI still encourages victims to report any incident to law enforcement.
Further, to protect your organization from ransomware attacks in the first place, the FBI offers the following tips:
- Back up your critical data and keep the backups offline.
- Make sure that backup copies of your critical data are stored in the cloud or on an external device.
- Ensure that your backups are secure and that the data cannot be modified or deleted from the source of the original data.
- Install and update antivirus and anti-malware software on all systems and hosts.
- Only use secure networks and avoid public and unsecure Wi-Fi networks.
- Set up two-factor authentication for all account credentials. Also, use authenticator apps rather than email verification to thwart attackers who compromise email accounts.
- Never click on unsolicited or unexpected attachments or links in emails.
- Enable least privilege access for files, directories and network shares.
“Organizations, especially those coming into sensitive times such as those around a merger or acquisition, are wise to focus on preventing these attacks by dealing with the most common attack vectors for ransomware, phishing emails and remote access portals,” Kron said. “Training users and testing them with simulated phishing attacks, allowing them to become more proficient at spotting and reporting these attacks, is a key method to lower risk of infection, as is ensuring remote access portals are monitored for brute force attacks, and requiring multi-factor authentication for any user logins.”