The Federal Bureau of Investigation has issued a private industry alert warning about a new tactic being used by ransomware gangs to pressure victims into paying the ransom. In 2020, many ransomware gangs adopted double extortion tactics where sensitive data were exfiltrated from victims’ networks prior to encrypting files. The stolen data were then published on leak sites if victims refused to pay the ransom, or threats were issued to sell the stolen data.
Several ransomware gangs have now taken extortion a step further and are issuing threats to disclose stolen data of publicly traded firms to stock exchanges such as NASDAQ in an effort to tank stock value. The FBI has found evidence of ransomware gangs actively targeting publicly traded companies, those preparing to be listed on stock exchanges, and companies that have impending financial events such as announcements, mergers and acquisitions, or SEC filings. In some cases, the timeline for extortion has been adjusted to coincide with these events to inflict maximum pain.
After stealing data, the cyber actors examine the files to identify information that could damage the victim’s reputation or stock price and demand payment to prevent a damaging disclosure. The FBI said it identified several attacks in 2020 and 2021 where these tactics have been used, with the first case identified in early 2020.
The FBI says a cyber actor with the moniker “Unknown” posted about the tactic on the Russian Exploit hacking forum, suggesting ransomware actors conduct attacks on publicly traded companies and mention the NASDAQ Stock Market in their negotiations to increase the likelihood of payment being made and the REvil gang suggested auto-emailing stock exchanges to advise them of an attack and hurt the company’s stock value. Some ransomware actors took the advice and actively targeted companies involved in financial events such as mergers and acquisitions. The FBI says three publicly traded companies were targeted between March 2020 and July 2020 that were actively involved in mergers and acquisitions, with two of those firms under private negotiations at the time of the attacks.
An analysis of the Pyxie RAT in November 2020 identified search terms linked to financial events, including 10-q, 10-sb, n-csr, NASDAQ, marketwired, and newswire. Infections with Pyxie RAT often precede Defray777/RansomEXX ransomware infections. The DarkSide ransomware gang published a post on its website indicating it was interested in attempting to affect a victim’s share price and was offering information for shorting stock.
These tactics may force companies to pay the ransom rather than attempt to recover data from backups to protect their shareholders. The FBI says it doesn’t encourage victims to pay the ransom but appreciates that when businesses are faced with an inability to function, executives may take steps to protect their shareholders, employees, and customers. Regardless of the decision, the FBI is encouraging all victims of ransomware attacks to report the cyberattacks to their local FBI field office, as the information will help the FBI track ransomware attackers and hold them accountable under U.S. law.