On Monday, November 1st, the U.S. Federal Bureau of Investigation (FBI) issued a Private Industry Notification (PIN) regarding tactics being used by ransomware gangs as their attacks continue to plague all levels of the country’s government, technology industries, healthcare and economy.
In the document, a publicly viewable PDF, the FBI describes a new strategy in which ransomware actors have been using impending “significant financial events” to both target and pressure companies into bending to their will.
What are “significant financial events?”
The document describes “significant financial events” as mergers and acquisitions. These kinds of business developments can put strain on companies as they formulate restructuring plans, changes in leadership and corporate assimilations. Ransomware gangs, knowing that where there is stress there is vulnerability, have been using the chaos of these events to their advantage.
How have ransomware gangs been capitalizing on financial events?
Stock valuation is paramount when it comes to a company’s perceived worth and integrity. When significant financial events are on the horizon, maintaining investor confidence is critical to keeping the process on track. A ransomware attack during any period of transition is disruptive enough to derail and delay plans. A strategically planned ransomware attack that threatens to send stock prices plummeting with the reveal of sensitive monetary data in the face of an impending merger, however, can have catastrophic repercussions and completely destroy a financial event. Ransomware actors have been found to use both publicly available information as well as stolen data to threaten their victims with “investor backlash.”
How does a ransomware attack work?
The FBI document states that ransomware attacks often occur in two stages. Initially, the threat actor will infect a victim’s network with a trojan that allows them to view their data and formulate a strategy on how to best carry out a successful scheme. These trojans are often distributed en masse, with only the victims deemed to be potentially profitable finding themselves attacked with ransomware. Organizations that the hackers find to have valuable, private information may then find themselves in their crosshairs.
Once an attack has been initiated, a victim’s network is encrypted. A message from the threat actor will then materialize in some form. This message will typically describe the extent of the data being held captive, the ransom being demanded in exchange for the stolen information as well as threats to release or sell the data if the ransom is not paid within a certain period of time.
Examples of ransomware actors leveraging the stock market
The FBI has included the following examples on their PIN that support their findings:
- On a Russian hacking forum called “Exploit,” a ransomware actor promoted the idea of extorting companies by leveraging the NASDAQ stock exchange. Not long after, ransomware actors used this recommendation to their advantage in negotiating with a victim in March of 2020.
- In the spring of 2020, three major companies that were in the process of negotiating mergers or acquisitions were hit with ransomware.
- Dissection of data related to Pyxie RAT, a trojan often injected prior to a full blown ransomware attack, found that hackers were searching victim networks for keywords such as “nasdaq,” “newswire” and “marketwired.” This finding indicates a growing curiosity related to internal company information pertaining to the stock market. The hackers were likely seeking files that contain stock-related memos or language that the company likely has an interest in keeping secret.
- DarkSide, a ransomware gang believed to be located in Eastern Europe, became even more savvy in their weaponizing and utilization of the stock market against their victims with a message posted in April of 2021 that read: “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”
The next month, DarkSide would gain international notoriety in their successful hack of the Colonial Pipeline.
What does the FBI recommend?
The FBI encourages organizations to refuse payment to ransomware gangs, as success only bolsters their future efforts. In order for organisations to both protect their data and mitigate potential damage from an attack, the FBI recommends the following cybersecurity strategies. While these suggestions may seem to be basic in nature, a disregard for these principles is often at the root of many major ransomware attacks.
- Critical data should be backed up offline, where outside users will not be able to remotely access it.
- Critical data should be copied and stored either in the cloud or on physical storage devices.
- Backed up data should not be accessible from the same system that contains the original information.
- Install and update anti-virus and anti-malware products across all hosts and devices.
- Avoid public wifi and unsecured networks.
- Use two-factor authentication via an authenticator app as opposed to email, as email may become hacked in the process of an attack.
- Do not click on or open any attachments from unsolicited emails, as phishing is a common way for threat actors to access your network.
- Keep your network permissions tight, up to date and regularly adjusted.
FBI-recommended ransomware resources
The FBI also recommends the following resources to promote better education and awareness regarding cybersecurity and ransomware attacks:
StopRansomeware.gov is the U.S. government’s number one resource for private citizens looking to learn more about ransomware.
The Cybersecurity and Infrastructure Security Agency’s (CISA)’s Ransomware Guide provides detailed guidance regarding ransomware.
CISA’s joint Technical Approaches to Uncovering and Remediating Malicious Activity is also recommended to ensure that proper strategies are implemented with regard to incident handling.
The FBI’s ransomware-focused PIN comes at the end of a year in which the federal government has prioritized an increase in cybersecurity awareness and preparedness after ransomware attacks have escalated in both frequency and boldness.
2021 has seen the formation of a joint international coalition focused on sharing resources and data with regard to Chinese hacking, specifically. The 2022 National Defense Authorization Act, a defense bill currently in the U.S. congress, has also had proposed cybersecurity amendments added to it that require critical organizations to report cybercrime to the federal government within a limited period of time after detection.