The FBI has warned that ransomware gangs are increasingly interested in attacking companies that are in the middle of "time-sensitive financial events" such as corporate mergers and acquisitions.
In the private industry notification, the FBI asserts that it has evidence that suggests the online thugs collect financial information before attacks, which they then use as leverage to extort their victims.
“Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash,” shared the FBI.
Unraveling the modus operandi of such enterprising cyber criminals, the FBI says that they first sneak in malware that helps them trawl the target’s computer for financially sensitive information, which can be used to arm twist the victim into paying the ransom.
Hitting where it hurts
Impending events that could affect a victim’s stock value, such as major announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion.
This is evidenced from the fact that most victims of these reconnaissance malware don’t actually end up being targeted by the ransomware.
The FBI shared a few incidents to back its claims. It shared that between March and July 2020, at least three publicly traded US companies that were actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations.
Evidence of reconnaissance can be established from the fact that of the three pending mergers, two were under private negotiations.
In the same vein, analysis of the Pyxie remote access trojan (RAT), which often precedes the Defray777/RansomEXX ransomware attack, revealed that the attackers use the RAT to search for files and data that could help influence the victim’s current and near
future stock share price. Threats to publicly expose these files could then make the victims more pliable.
Best practices
The FBI used the notification to reiterate its position that it doesn’t condone paying ransom since it only encourages the threat actor to victimize others. However it understands how businesses that have been crippled by ransomware might not have any other option but to engage with the threat actors.
It ends the notification by listing a variety of ways businesses can protect themselves from such cyber attacks. For instance, it suggests housing copies of critical data in the cloud or on an external offline hard drive or storage device.
It also advises businesses to install and regularly update antivirus software on all hosts.
Importantly, as it suggests businesses to switch to two-factor authentication (2FA), the FBI urges the use of authenticator apps rather than email, since the attackers might already have compromised the victim email accounts.
“Implement least privilege for file, directory, and network share permissions,” the FBI concludes, as it lists a few other resources to help businesses batten down the hatches.
Business should use one of these best firewall apps and services to protect their networks, and ensure their computers are running these best endpoint protection tools to add another layer of defense against such cyber-attacks.
