The FBI is warning about a fresh extortion tactic: threatening to destroy share prices for publicly held companies.
Ransomware gangs are zeroing in on publicly held companies with the threat of financial exposure in an effort to encourage ransom payments, the FBI is warning.
Quarterly Earnings
In an alert issued this week [PDF], the Bureau explained that activity over the course of the past year shows a trend toward targeting companies when they’re coming up to “significant, time-sensitive financial events,” such as quarterly earnings reports & mandated SEC filings, initial public offerings, M&A activity, etc.
The aim is to increase the extortion pressure by threatening to leak stolen information relevant to these events if the target does not pay.
“Impending events that could affect a victim’s stock value, such as announcements or mergers & acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion,” the FBI noted.
Critical Inflection Points
Doug Britton, CEO at Haystack Solutions, noted that it is a clever strategy.
“Criminal organisations are realising the ability to drive pressure in their extortion demands by targeting companies at critical inflection points in their growth,” he stated.
“This is a strategic play on an otherwise familiar ransomware attack. Any company that doesn’t prepare for this attack is risking their ability to operate or fulfil their obligation to shareholders.”
Targeting Stock Prices
In 2020, the ransomware player who goes by the title “Unknown” (believed to be a former leader of the REvil group) appeared to mastermind the approach, suggesting in the Exploit Russian hacking forum that a great way to make targets give-in to ransom demands is by referencing their corporate presence on the US NASDAQ stock exchange.
Soon, some were following the advice: “Following this posting, unidentified ransomware actors negotiating a payment with a victim during a March 2020 ransomware event stated,
‘We have also noticed that you have stocks. If you do not engage us for negotiation, we will leak your data to the Nasdaq & we will see what is going to happen with your stocks,’” according to the alert.
M&A Negotiations
Also last year, at least 3 publicly traded US companies actively involved in M&A negotiations were hit with ransomware.
As well, a technical analysis of the Pyxie remote access trojan (which acts as a 1st-stage implant that eventually delivers the Defray777/Ransom EXX ransomware) revealed several financially related keyword searches, the FBI explained.
These included “10-Q,” referring to a quarterly report that must be submitted by all US publicly traded companies disclosing relevant information regarding finances; “10-SB,” which is a form used to register the securities of small businesses that want to trade on US exchanges; & “N-CSR,” a form that must be filed within 10 days of a company issuing annual & semi-annual reports to stockholders.
Other keywords included NASDAQ, Market Wired & Newswire.
Extortion Pressure
In April, the Dark Side ransomware gang (a group that the FBI has blamed for the Colonial Pipeline attack) posted a plan to use victims’ share price as extortion pressure, according to the FBI, & offered to teach others how to do the same thing.
The message observed: “Now our team & partners encrypt many companies that are trading on NASDAQ & other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”
Bill Lawrence, CISO at Security Gate, noted that companies should now be on high alert when going public, executing mergers or acquisitions, or going through other significant financial events & should tightly control information, including public information.
Risk Assessments
“Companies should especially keep their guard up during these types of events & use 3rd-party penetration testers & thorough risk assessments to try to find the security gaps and types of data that would be helpful to criminals,” he noted.
“They should always ensure their public-facing information is controlled carefully, while sensitive financial or other data is encrypted & backed up to another secure location. 2-factor & multi-factor authentication can help secure vulnerable accounts.”
Cyber-Security Team
Meanwhile, Haystack’s Britton advised that the most important preventative action any company can do is invest in a cyber-security team.
“This is quickly becoming table stakes in this current climate of cyberattacks,” he outlined.
“We have the technology to find critical talent, even in a tight labour market. We need to find the next generation of cyber-professionals & get them into the fight, or this threat will only continue to grow.”
Ransomware Extortion Tactics Evolve
The targeting of information specifically damaging to share price is not the only emerging ransomware trend. Last week, the FBI stated that the ‘Hello Kitty’ group of cyber-criminals (aka Five Hands) has added the threat of distributed denial of service (DDoS) attacks to its mix of “persuasion” tactics.
“Hello Kitty actors aggressively apply pressure to victims typically using the double-extortion technique,” the FBI warned in an alert [PDF] on Fri., referring to the double-whammy of encrypting files and exfiltrating information to make public if ransoms aren’t paid.
It added, “In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a [DDoS] attack on the victim company’s public-facing website.”
Cyberpunk 2077
Hello Kitty is known for hitting CD Projekt Red, the game developer behind Cyberpunk 2077, with ransomware earlier this year. It typically tailors its ransom demands to targets & be known for using compromised credentials or known patched vulnerabilities in Sonic Wall products for initial access to corporate networks.
Using DDoS is increasingly a part of so-called “quadruple extortion” attacks. Last year, the Sun Crypt ransomware group drew praise from a REvil ‘boss’ for pioneering the idea.
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/