FBI ransomware alert: gangs coercing companies engaged in time-sensitive financial activities
Posted by: GuidePoint Security
Published 11/10/21, 9:00am
In a Private Industry Notification (PIN) issued by the FBI on Monday 11/1, they warned that ransomware gangs were using previously collected financial information to force victims of ransomware attacks to comply with ransom demands. In their statement, the FBI says “The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections. Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.”
This isn’t the first time ransomware threat actors have leveraged financial impacts to strongarm victims. In 2020, an unknown ransomware actor encouraged his criminal colleagues to use stock exchanges to influence their extortions. And last year, the REvil gang claimed to be considering the addition of an auto-email script that would notify stock exchanges that one of their listed companies had been attacked.
The FBI warns that gangs are engaging in reconnaissance to glean non-public information on companies in order to use that information—such as a pending, but non-disclosed merger—to influence ransomware attack outcomes. Fortunately, for victims, stock prices and investor backlash may not be as dramatic as criminals believe. Research suggests that while stock prices can plummet immediately after attack disclosure, the price usually rebounds to pre-attack levels within days.
Next Steps
The FBI and cybersecurity professionals advise that ransomware victims *do not* pay the ransom. Ransom payments simply encourage future attacks and do not guarantee file or data recovery or privacy. Victims are also strongly encouraged to report ransom attacks and work with local law enforcement and ransomware incident response teams to investigate and mitigate the attack.