FBI Warns: Ransomware Groups Using Financial Data for Extortion

Ransomware Threats Targeting Financial Events

The Federal Bureau of Investigation has issued a warning regarding ransomware groups actively targeting organizations involved in crucial financial transactions. These include events such as mergers and acquisitions, with the intent of compelling victims to fulfill ransom demands.

Exploitation of Non-Public Information

According to an advisory released this week, cybercriminals prioritize the acquisition of confidential, non-public data during their targeting process. This information is then leveraged as a threat, with potential public disclosure used to pressure victims into payment.

Cybercriminals identify information not readily available to the public. They then threaten to release this data or utilize it to exert pressure during extortion attempts, aiming to incentivize compliance with ransom requests.

Impact on Stock Value

Events poised to influence a company’s stock valuation, like announcements, mergers, and acquisitions, are particularly attractive to ransomware actors. These events can prompt them to target a network or adjust their extortion timeline once access is gained.

Failure to promptly pay a ransom can result in the public release of sensitive information. This poses a risk of negative investor reaction and potential financial repercussions.

Observed Tactics and Examples

The FBI has documented instances where ransomware groups have exploited ongoing merger or acquisition negotiations to increase pressure on organizations to pay ransoms.

Previously, a prominent member of the REvil ransomware group suggested utilizing the Nasdaq stock exchange as a means of coercion. Subsequently, another group referenced a victim’s publicly traded stock during ransom negotiations.

An analysis of a separate ransomware attack revealed that hackers employed specific keywords to search a victim’s network for confidential financial data. This included information related to regulatory filings and forthcoming press releases.

Collaboration with Market Traders

In April, the DarkSide ransomware group, later known as BlackMatter, expressed interest in collaborating with market traders. Their aim was to punish victims who refused to pay by providing insider information.

The group encouraged traders to contact them for details on their latest corporate victims. This would allow traders to engage in short selling before any data leaks and subsequent public announcements.

A post from the hacking collective stated they were targeting companies listed on NASDAQ and other stock exchanges. They offered to provide information prior to public release, enabling traders to profit from a decline in share price.

FBI Recommendations and Recent Warnings

The FBI consistently advises against complying with cybercriminals’ ransom demands. Paying ransoms can embolden attackers and fund further criminal activities.

However, the FBI acknowledges that organizations facing operational incapacitation may consider all available options to protect stakeholders.

This warning follows a recent joint advisory from the FBI, CISA, and NSA. It highlighted that BlackMatter has targeted organizations considered critical infrastructure, including entities within the U.S. food and agriculture sector.