Ransomware gangs are zeroing in on publicly held companies with the threat of financial exposure in an effort to encourage ransom payments, the FBI is warning.
In an alert issued this week [PDF], the Bureau said that activity over the course of the past year shows a trend toward targeting companies when they’re coming up to “significant, time-sensitive financial events,” such as quarterly earnings reports and mandated SEC filings, initial public offerings, M&A activity, and so on. The idea is to ratchet up the extortion thumb-screws by threatening to leak stolen information relevant to these events if the target doesn’t pay up.
“Impending events that could affect a victim’s stock value, such as announcements [or] mergers and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion,” the Feds noted.
Doug Britton, CEO at Haystack Solutions, noted that it’s a savvy strategy.
“Criminal organizations are realizing the ability to drive leverage in their extortion demands by targeting companies at critical inflection points in their growth,” he said via email. “This is a strategic play on an otherwise familiar ransomware attack. Any company that doesn’t prepare for this attack is risking their ability to operate or fulfill their obligation to shareholders.”
Targeting Stock Prices
Last year, the ransomware actor who goes by the handle “Unknown” (believed to be a former leader of the REvil group) appeared to mastermind the approach, suggesting in the Exploit Russian hacking forum that a good way to sway targets to succumb to ransom demands is by referencing their corporate presence on the NASDAQ stock exchange.
Soon, some were following the advice: “Following this posting, unidentified ransomware actors negotiating a payment with a victim during a March 2020 ransomware event stated, ‘We have also noticed that you have stocks. If you will not engage us for negotiation, we will leak your data to the nasdaq [sic] and we will see what’s gonna [sic] happen with your stocks,'” according to the alert.
Also last year, at least three publicly traded U.S. companies actively involved in M&A negotiations were hit with ransomware. As well, a technical analysis of the Pyxie remote access trojan (which acts as a first-stage implant that eventually delivers the Defray777/RansomEXX ransomware) revealed several financially related keyword searches, the FBI said.
These included “10-Q,” referring to a quarterly report that must be submitted by all publicly traded companies disclosing relevant information regarding finances; “10-SB,” which is a form used to register the securities of small businesses that want to trade on U.S. exchanges; and “N-CSR,” a form that must be filed within 10 days of a company issuing annual and semi-annual reports to stockholders. Other keywords included NASDAQ, MarketWired and Newswire.
In April, the DarkSide ransomware gang (a group that the FBI has blamed for the Colonial Pipeline attack) posted a plan to use victims’ share price as extortion leverage, according to the FBI, and offered to teach others how to do the same thing.
The message said: “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”
Bill Lawrence, CISO at SecurityGate, noted that companies should now be on high alert when going public, executing mergers or acquisitions, or going through other significant financial events – and should tightly control information, including public information.
“Companies should especially keep their guard up during these types of events and use third-party penetration testers and thorough risk assessments to try to find the security gaps and types of data that would be helpful to criminals,” he noted in an email. “They should always ensure their public-facing information is controlled carefully, while sensitive financial or other data is encrypted and backed up to another secure location. Two-factor and multi-factor authentication can help secure vulnerable accounts.”
Meanwhile, Haystack’s Britton advised that the most important preventative action any company can do is invest in a cybersecurity team.
“This is quickly becoming table stakes in this current climate of cyberattacks,” he said. “We have the technology to find critical talent, even in a tight labor market. We need to find the next generation of cyber-professionals and get them into the fight, or this threat will only continue to grow.”
Hello Kitty: Ransomware Extortion Tactics Evolve
The targeting of information specifically damaging to share price isn’t the only emerging ransomware trend. Last week, the FBI said that the Hello Kitty group of cybercriminals (aka FiveHands) has added the threat of distributed denial of service (DDoS) attacks to its mix of “persuasion” tactics.
“Hello Kitty actors aggressively apply pressure to victims typically using the double-extortion technique,” the FBI warned in an alert [PDF] on Friday, referring to the double-whammy of encrypting files and exfiltrating information to make public if ransoms aren’t paid. It added, “In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a [DDoS] attack on the victim company’s public-facing website.”
Hello Kitty is known for hitting CD Projekt Red, the game developer behind Cyberpunk 2077, with ransomware earlier this year. It typically tailors its ransom demands to targets, and is known for using compromised credentials or known (patched) vulnerabilities in SonicWall products for initial access to corporate networks.
Using DDoS is increasingly a part of so-called “quadruple extortion” attacks. Last year, the SunCrypt ransomware group drew praise from a REvil higher-up for pioneering the idea.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.