FBI Warns that Ransomware Gangs are Targeting Significant Financial Events

When a company is involved in a merger, acquisition, or listing on an internationally respected stock exchange it is a significant financial event in that organization’s history. The Federal Bureau of Investigation (FBI) is now warning that such events are now being targeted by ransomware gangs in a variety of ways in order to place more pressure on victims to pay the ransom lest the financial event is derailed by ransomware revelations.

The FBI believes that ransomware gangs search through publicly available information, like stock price valuations and the various reporting mechanisms for companies that go public as well as information they may have stolen while compromising the victim’s digital infrastructure.

fbi warns - ransomware targets financial events

This information is then weaponized in a sense and used to place more pressure on the victim to pay the ransom demand. The pressure comes in the form of the ransomware gang releasing sensitive information that will cause an investor backlash or merger and acquisition talks to be derailed.

The ransomware threat faced by organizations today is often referred to as double extortion and can be seen as a two-stage attack. The first is when the network is compromised and the attacker steals data from the victim, as in a data breach.

The second stage is the encryption of data across the network. During the first phase, information that is not public knowledge and that is sensitive in nature for the time-sensitive financial events can add more leverage onto the victim, increasing the chances that the victim pays the ransom.

This evolution on the double extortion tactic mentioned above seems to have started in 2020, with those behind the now-defunct Sodinokibi ransomware gang with two events, one becoming public knowledge in February and the second in March.

Examples of New Tactic

Returning to the event in February security researchers discovered that Sodinokibi’s administrators were urging affiliates to copy all data stolen from high profile victims to be published and distributed via a blog, copying DoppelPaymer’s addition to the double extortion tactic.

However, the administrators of Sodinokibi suggested that sensitive data can be directly leaked to financial bodies, like the Nasdaq stock exchange, as a means of placing more financially related pressure on the victim. The entire post read,

“For all previously published orders, we found artists. The tasks set are difficult, but solvable. We hope to add all the functionality as soon as possible, as it will be ready. We also finished work on a blog in which data from compromised systems will be published. We urged all adverts to copy information as often as possible, so we are convinced that this will be a very effective use of this blog. Not all blog information is available for viewing - some information is previously available to services for the sale of SS and other information, which will allow you to get a fairly high rate of return on this information.

Now we can say with confidence - all the companies that have our product have serious problems with data privacy. We strongly recommend that these companies move to negotiations fairly quickly, as we plan to expand and improve this blog. Have some interesting thoughts about auto -notification email addresses of stock exchanges (for example, NASDAQ ), which will allow you to influence the financial condition of the company quickly and efficiently.
Now all data will be published on this blog.
There are 3 places in the affiliate program. Interested in networking. Soon, probably, we will leave all sites and stop recruiting. Hurry up.”

In March this request was seen put in action when communication with a victim via the leak site revealed that the gang would reveal the victim’s “dirty” financial secrets along with the intent to sell social security numbers on the black market for an acceptable return. The communication to the company, whose identity was not disclosed at the time, read,

“It is only a small part of your data and it’s in the picture for now. Every day more and more information will be uploaded.
SSN + DOB + other information about people - will be sold in DarkWeb to people who will use them for their probably “dark deals”.
After revealing people’s personal data, they will be informed who is guilty in publications.
There is also other interesting information. Your financial reports are very interesting and “dirty” - these secrets will be revealed a little later to certain people.”

The FBI provided further examples of this tactic being deployed, listing four examples. They are:

  • In early 2020, a ransomware actor using the moniker "Unknown" made a post on the Russian hacking forum "Exploit" that encouraged using the NASDAQ stock exchange to influence the extortion process. Following this posting, unidentified ransomware actors negotiating payment with a victim during a March 2020 ransomware event stated, "We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what's gonna (sic) happen with your stocks."
  • Between March and July 2020, at least three publicly traded US companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations.
  • A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim's network indicating an interest in the victim's current and near-future stock share price. These keywords included 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and newswire.
  • In April 2021, Darkside ransomware actors posted a message on their blog site to show their interest in impacting a victim's share price. The message stated, "Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in 'Contact Us' and we will provide you with detailed information."

Ranzy Locker Warning

In another bit of ransomware-related news, the FBI also recently warned that the threat actors behind the Ranzy Locker had already 30 US companies this year. Ranzy Locker is identical to another ransomware strain ThunderX and the FBI noted that many of the US victims had their networks compromised by brute-forcing Remote Desktop Protocol (RDP) credentials.

Later attacks made use of exploiting Microsoft Exchange Servers and phishing campaigns to steal credentials to get the threat actors into the infrastructure.

Security researchers believe that Ranzy Locker, rather than being a new ransomware gang, is simply a rebranding of the Ako ransomware strain. The believed rebranding started with Ako going to ThunderX and then to Ranzy Locker.

The FBI warning includes helpful indicators of compromise (IoC) and other technical details that may help victims identify what they are dealing with. The warning also contains must-read mitigation strategies that help prevent a ransomware infection.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal