BACKGROUND:
In its November 1st notification Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims, the FBI warns: “Ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections. Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.”
In response, three experts offer perspective.
<p>Ransomware gangs are driven by profit and they’re always looking for new ways to \’motivate\’ their victims pay. They know that the more pain and pressure they apply, the bigger the chance of success. By targeting organizations in the middle of sensitive financial events such as mergers and acquisitions, ransomware gangs expect that their attack will have greater leverage because it can negatively impact the victim’s share price. As additional leverage, the REvil ransomware gang has even gone so far as to claim they were considering adding in auto-email scripts to contact stock exchanges, making them aware of attacks to ensure the victim’s stock price is driven down. Ransomware gangs will stop at nothing to ensure their attacks succeed – and for organizations at risk of attack, that should be a big concern.</p>
<p><span lang=\"EN-US\">M&A’s contain huge amounts of sensitive and highly valuable information and it’s important <wbr />organisations have a real-world view of their own and their targets cybersecurity exposure, because leaking data is an accrued risk for all parties involved – one that cyber criminals will take advantage of. </span> <u></u><u></u> <u></u><u></u></p>
<p><span lang=\"EN-US\">Actively monitoring for data leaks, with visibility across all layers of the internet, including Connected Storage, Cloud Drives, Clear, Deep and Dark Web, Databases, Code Repositories all outside the organization’s security perimeter, is essential. Maintaining good cyber hygiene and staying on top of security risks in a high-stakes environment is the difference in protecting <wbr />against ransomware attacks, or suffering from one.</span></p>
<p>It’s no surprise that ransomware attackers follow the stock market in choosing their victims. The FBI reports that ransomware is often based on financial information published by the enterprise, coupled with insider information found once the attack has occurred. Often it is less about locking up the network than holding enterprises hostage to non-public information.</p>
<p>Ransomware attackers are increasingly going after profit, using their attacks to target companies who have had a run-up in their stock price, or who have received significant VC funding. These enterprises may have money to use to pay ransomware attackers based on ready cash. Attackers often find that it’s easier to pay for non-public information rather than make that information available to the world. “Enterprises can be stuck between paying attackers versus making public potentially material information.</p>
<p>Every enterprise needs to keep financial information private. The best way to do so is to keep attackers out of your network. Failing that, you need to find and eject them before they get harmful data.</p>
<p>Reconnaissance is a key part of any malware attack – be it a data exfiltration attack on an enterprise or a ransomware attack on an individual. The attackers try to collect as much publicly available information on the target. And now that all entities, people and enterprises are living beings on the internet, there is much to be gathered. The key is to assume that data is being collected on the entity that wishes to stay protected – and to shore up the defenses. The key part for the individual are to limit ones surface area of attack by streamlining accounts and access, and to implement MFA at all logons. The same goes through with enterprises with the additional task of gaining knowledge of all the user and admin accounts, since by nature the user problem is much larger for the enterprise.</p>
<p>This criminal tactic is nothing new. Criminals have utilized geographic location, high social status, and evidence of big-ticket purchases to target victims. Criminals are using similar cybercrime tactics to target their next victim. These tactics ensure victims have the means to pay out a ransom and are large enough to be forced to consider the public perception of how an incident is handled. Organizations need to consider the cost of the initial ransom requested and the cost of a damaged public image or leaked proprietary information to a competitor. There are many different driving factors, but they all end at the same point; the need for a secure and resilient network utilizing defense-in-depth to minimize the possibility of such events.</p>