The FBI is warning about a fresh extortion tactic: threatening to tank share price ranges for publicly held companies.
Ransomware gangs are zeroing in on publicly held providers with the risk of financial exposure in an hard work to inspire ransom payments, the FBI is warning.
In an alert issued this week [PDF], the Bureau mentioned that activity over the course of the earlier calendar year demonstrates a development towards focusing on providers when they are coming up to “significant, time-sensitive fiscal functions,” this sort of as quarterly earnings reviews and mandated SEC filings, first general public offerings, M&A activity, and so on. The thought is to ratchet up the extortion thumb-screws by threatening to leak stolen info suitable to these gatherings if the focus on does not spend up.
“Impending situations that could impact a victim’s inventory benefit, this sort of as announcements [or] mergers and acquisitions, persuade ransomware actors to concentrate on a network or alter their timeline for extortion,” the Feds observed.
Doug Britton, CEO at Haystack Answers, pointed out that it is a savvy strategy.
“Criminal organizations are acknowledging the skill to drive leverage in their extortion calls for by concentrating on providers at critical inflection points in their development,” he reported by using email. “This is a strategic enjoy on an normally common ransomware attack. Any business that does not put together for this attack is jeopardizing their potential to function or fulfill their obligation to shareholders.”
Concentrating on Stock Charges
Past year, the ransomware actor who goes by the handle “Unknown” (considered to be a former chief of the REvil group) appeared to mastermind the strategy, suggesting in the Exploit Russian hacking discussion board that a good way to sway targets to succumb to ransom calls for is by referencing their company existence on the NASDAQ stock trade.
Shortly, some had been adhering to the information: “Following this publishing, unidentified ransomware actors negotiating a payment with a target for the duration of a March 2020 ransomware occasion mentioned, ‘We have also seen that you have shares. If you will not engage us for negotiation, we will leak your details to the nasdaq [sic] and we will see what’s gonna [sic] happen with your shares,’” in accordance to the notify.
Also past yr, at least three publicly traded U.S. organizations actively included in M&A negotiations were hit with ransomware. As well, a technical analysis of the Pyxie remote accessibility trojan (which acts as a initially-phase implant that at some point delivers the Defray777/RansomEXX ransomware) uncovered quite a few monetarily related key word searches, the FBI claimed.
These included “10-Q,” referring to a quarterly report that ought to be submitted by all publicly traded providers disclosing pertinent info concerning funds “10-SB,” which is a form employed to register the securities of smaller enterprises that want to trade on U.S. exchanges and “N-CSR,” a variety that must be filed in 10 days of a business issuing annual and semi-annual reports to stockholders. Other key phrases provided NASDAQ, MarketWired and Newswire.
In April, the DarkSide ransomware gang (a team that the FBI has blamed for the Colonial Pipeline attack) posted a plan to use victims’ share price tag as extortion leverage, in accordance to the FBI, and supplied to instruct other individuals how to do the exact factor.
The message mentioned: “Now our workforce and associates encrypt several corporations that are trading on NASDAQ and other stock exchanges. If the organization refuses to fork out, we are completely ready to supply information and facts prior to the publication, so that it would be probable to earn in the reduction price tag of shares. Create to us in ‘Contact Us’ and we will provide you with in-depth details.”
Monthly bill Lawrence, CISO at SecurityGate, noted that businesses should now be on high alert when heading community, executing mergers or acquisitions, or going via other substantial economical gatherings – and need to tightly manage facts, such as general public facts.
“Companies should really specially hold their guard up for the duration of these styles of events and use third-party penetration testers and thorough risk assessments to check out to find the security gaps and types of data that would be helpful to criminals,” he noted in an email. “They ought to generally make certain their public-going through information is managed very carefully, when delicate economical or other knowledge is encrypted and backed up to an additional protected locale. Two-factor and multi-factor authentication can help secure vulnerable accounts.”
In the meantime, Haystack’s Britton suggested that the most important preventative motion any organization can do is devote in a cybersecurity workforce.
“This is quickly turning out to be desk stakes in this present-day local weather of cyberattacks,” he claimed. “We have the technology to locate critical expertise, even in a restricted labor sector. We need to have to obtain the upcoming era of cyber-experts and get them into the combat, or this menace will only go on to grow.”
Hello there Kitty: Ransomware Extortion Methods Evolve
The concentrating on of information and facts precisely harming to share price is not the only rising ransomware craze. Last 7 days, the FBI explained that the Hi Kitty group of cybercriminals (aka FiveHands) has extra the threat of dispersed denial of services (DDoS) attacks to its mix of “persuasion” ways.
“Hello Kitty actors aggressively use tension to victims typically using the double-extortion procedure,” the FBI warned in an inform [PDF] on Friday, referring to the double-whammy of encrypting data files and exfiltrating information and facts to make community if ransoms aren’t paid out. It additional, “In some conditions, if the target does not reply swiftly or does not pay out the ransom, the risk actors will start a [DDoS] attack on the sufferer company’s public-facing web page.”
Hi there Kitty is recognised for hitting CD Projekt Purple, the sport developer at the rear of Cyberpunk 2077, with ransomware before this year. It normally tailors its ransom demands to targets, and is acknowledged for applying compromised qualifications or regarded vulnerabilities in SonicWall goods for original entry to corporate networks.
Applying DDoS is increasingly a aspect of so-called “quadruple extortion” attacks. Last year, the SunCrypt ransomware group drew praise from a REvil larger-up for revolutionary the concept.
Verify out our free upcoming dwell and on-desire on the net city halls – unique, dynamic conversations with cybersecurity industry experts and the Threatpost community.
Some parts of this report are sourced from: