When a company is involved in a merger, acquisition, or listing on an internationally respected stock exchange it is a significant financial event in that organization’s history. The Federal Bureau of Investigation (FBI) is now warning that such events are now being targeted by ransomware gangs in a variety of ways in order to place more pressure on victims to pay the ransom lest the financial event is derailed by ransomware revelations.
The FBI believes that ransomware gangs search through publicly available information, like stock price valuations and the various reporting mechanisms for companies that go public as well as information they may have stolen while compromising the victim’s digital infrastructure.
This information is then weaponized in a sense and used to place more pressure on the victim to pay the ransom demand. The pressure comes in the form of the ransomware gang releasing sensitive information that will cause an investor backlash or merger and acquisition talks to be derailed.
The ransomware threat faced by organizations today is often referred to as double extortion and can be seen as a two-stage attack. The first is when the network is compromised and the attacker steals data from the victim, as in a data breach.
The second stage is the encryption of data across the network. During the first phase, information that is not public knowledge and that is sensitive in nature for the time-sensitive financial events can add more leverage onto the victim, increasing the chances that the victim pays the ransom.
This evolution on the double extortion tactic mentioned above seems to have started in 2020, with those behind the now-defunct Sodinokibi ransomware gang with two events, one becoming public knowledge in February and the second in March.
Examples of New Tactic
Returning to the event in February security researchers discovered that Sodinokibi’s administrators were urging affiliates to copy all data stolen from high profile victims to be published and distributed via a blog, copying DoppelPaymer’s addition to the double extortion tactic.
However, the administrators of Sodinokibi suggested that sensitive data can be directly leaked to financial bodies, like the Nasdaq stock exchange, as a means of placing more financially related pressure on the victim. The entire post read,
“For all previously published orders, we found artists. The tasks set are difficult, but solvable. We hope to add all the functionality as soon as possible, as it will be ready. We also finished work on a blog in which data from compromised systems will be published. We urged all adverts to copy information as often as possible, so we are convinced that this will be a very effective use of this blog. Not all blog information is available for viewing - some information is previously available to services for the sale of SS and other information, which will allow you to get a fairly high rate of return on this information.
Now we can say with confidence - all the companies that have our product have serious problems with data privacy. We strongly recommend that these companies move to negotiations fairly quickly, as we plan to expand and improve this blog. Have some interesting thoughts about auto -notification email addresses of stock exchanges (for example, NASDAQ ), which will allow you to influence the financial condition of the company quickly and efficiently.
Now all data will be published on this blog.
There are 3 places in the affiliate program. Interested in networking. Soon, probably, we will leave all sites and stop recruiting. Hurry up.”
In March this request was seen put in action when communication with a victim via the leak site revealed that the gang would reveal the victim’s “dirty” financial secrets along with the intent to sell social security numbers on the black market for an acceptable return. The communication to the company, whose identity was not disclosed at the time, read,
“It is only a small part of your data and it’s in the picture for now. Every day more and more information will be uploaded.
SSN + DOB + other information about people - will be sold in DarkWeb to people who will use them for their probably “dark deals”.
After revealing people’s personal data, they will be informed who is guilty in publications.
There is also other interesting information. Your financial reports are very interesting and “dirty” - these secrets will be revealed a little later to certain people.”
The FBI provided further examples of this tactic being deployed, listing four examples. They are:
- In early 2020, a ransomware actor using the moniker "Unknown" made a post on the Russian hacking forum "Exploit" that encouraged using the NASDAQ stock exchange to influence the extortion process. Following this posting, unidentified ransomware actors negotiating payment with a victim during a March 2020 ransomware event stated, "We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what's gonna (sic) happen with your stocks."
- Between March and July 2020, at least three publicly traded US companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations.
- A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim's network indicating an interest in the victim's current and near-future stock share price. These keywords included 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and newswire.
- In April 2021, Darkside ransomware actors posted a message on their blog site to show their interest in impacting a victim's share price. The message stated, "Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in 'Contact Us' and we will provide you with detailed information."
Ranzy Locker Warning
In another bit of ransomware-related news, the FBI also recently warned that the threat actors behind the Ranzy Locker had already 30 US companies this year. Ranzy Locker is identical to another ransomware strain ThunderX and the FBI noted that many of the US victims had their networks compromised by brute-forcing Remote Desktop Protocol (RDP) credentials.
Later attacks made use of exploiting Microsoft Exchange Servers and phishing campaigns to steal credentials to get the threat actors into the infrastructure.
Security researchers believe that Ranzy Locker, rather than being a new ransomware gang, is simply a rebranding of the Ako ransomware strain. The believed rebranding started with Ako going to ThunderX and then to Ranzy Locker.
The FBI warning includes helpful indicators of compromise (IoC) and other technical details that may help victims identify what they are dealing with. The warning also contains must-read mitigation strategies that help prevent a ransomware infection.