FBI: Ransomware gangs using financial info to target companies

Ransomware gangs are likely using significant financial events such as mergers and acquisitions to target companies for extortion, the FBI said in an alert  Monday.

The alert came from the Internet Crime Complaint Center (IC3), the FBI's central repository for internet crime reports. According to the Private Industry Notification (PIN), the bureau assessed that threat actors are "very likely" using public and non-public financial information to target and extort potential victims.

Ransomware actors are motivated by time-sensitive financial events, according to the FBI -- if a company is going through a stock valuation, for example, the bad actor can steal non-public information and threaten to leak it. The victim would then be more likely to pay, due to the higher stakes and the risk of backlash from investors.

IC3 did not provide any details regarding relevant complaints it received, and the FBI did not respond to SearchSecurity's request for comment. However, the PIN gave multiple examples illustrating this trend.

The FBI said that between March and July 2020, "at least three publicly traded U.S. companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations." Of the three companies, only one of the negotiations was public knowledge, according to the FBI.

The report also mentioned a Nov. 2020 technical analysis of remote access Trojan "Pyxie RAT," used in ransomware infections; the RAT used several keywords involving SEC filings and financial news to presumably locate relevant files on a victim's network.

Similarly, the PIN mentioned ransomware gang DarkSide, which in April posted a message on its blog claiming they were targeting public companies. "If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares," the post read.

DarkSide threat actors later attacked Colonial Pipeline, which forced the company to shut down operations and triggered a gas panic in parts of the East Coast. Colonial paid a $4.4 million ransom to the threat actors to decrypt its systems, but the FBI later seized much of the payment after obtaining a private bitcoin coin.

Lastly, the FBI referenced an early 2020 post on Russian hacking forum Exploit where an alleged ransomware actor with the username "Unknown" encouraged using Nasdaq to "influence the extortion process."

"Following this posting, unidentified ransomware actors negotiating a payment with a victim during a March 2020 ransomware event stated, 'We have also noticed that you have stocks. If you will not engage us for negotiation, we will leak your data to the nasdaq and we will see what's gonna [sic] happen with your stocks,'" the PIN read.

The intersection of cybercrime and non-public financial information is not a new one. In March, the U.S. Securities and Exchange Commission charged a California man with allegedly selling non-public, fraudulent "insider tips" on the dark web in 2016 and 2017. And in 2015, nine people were charged with hacking newswire services to steal unpublished corporate press releases.

Alexander Culafi is a writer, journalist and podcaster based in Boston.