Ransomware criminals targeting confidential M&A data, FBI warns

By Jim Tyson for CFODive.com

• The FBI issued a warning that cyber criminals are targeting companies engaged in major transactions such as mergers and acquisitions and extorting ransom by threatening to publicize confidential, market-moving information.

• “Ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections,” the FBI said in a Private Industry Notification on Nov. 1.

• Cyber criminals often use Trojan malware to research nonpublic information among a pool of companies and identify the most vulnerable and promising targets, the FBI said. “Impending events that could affect a victim’s stock value — such as announcements, mergers and acquisitions — encourage ransomware actors to target a network or adjust their timeline for extortion.”

Cyber criminals are attacking a target-rich terrain as the economic rebound from a pandemic-induced recession triggers a surge in deal-making.

Many companies seek partners or buyers while struggling to recover from months of lockdowns and supply chain disruptions. Record fiscal and monetary stimulus has pushed up liquidity, and private equity firms hold abundant “dry powder.”

The value of worldwide M&A activity hit a record $4.4 trillion during the first nine months of 2021, according to Refinitiv. U.S. deal-making valuation rose 139% during the period to $2 trillion, or 45% of the global total.

“Activity is surging as companies use M&A to manage the still-unpredictable economic effects of the COVID-19 pandemic and find their strategic footing,” according to research by McKinsey. “They are pursuing deals to streamline their assets, establish or extend their digital capabilities, acquire top talent and otherwise strengthen their competitive positions."

Hackers exploit their victim’s concern that company stock valuation will slump, the FBI said. “If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.”

Ransomware attacks hit at least three publicly traded U.S. companies negotiating M&As from March until June 2020, the FBI said. The talks were not publicly known at two of the three companies.

Trojan malware launched by Defray777/RansomEXX made several keyword searches across a victim’s network, looking for references to nasdaq, newswire, “10-q,” and other words associated with filings with the Securities and Exchange Commission, the FBI said.

Ransomware hackers with Darkside posted a message on their blog site in April stating, “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication so that it would be possible to earn in the reduction price of shares."

The FBI recommends that companies not pay ransom to cyber criminals. “However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees and customers.”

Companies should take several steps to thwart ransomware attacks: copy critical data in the cloud or on an external hard drive or storage device, regularly update anti-virus and malware software on all hosts and use two-factor authentication for user login credentials.