Search This Blog

FBI: Ransomware Targets Firms During Mergers and Acquisitions

Firms should avoid paying a ransom as there is no guarantee that doing so will protect them against data breaches, as per FBI.


The FBI cautions that ransomware groups are targeting companies in "time-sensitive financial events" such as corporate mergers and acquisitions in order to extort their victims. 

The FBI stated in a private industry notice issued on Monday that ransomware operators would utilize financial information gathered before assaults as leverage to compel victims to pay ransom demands. 

The federal law enforcement agency stated further, "The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections." 

"During the initial reconnaissance phase, cybercriminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands. Impending events that could affect a victim's stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established." 

For example, last year, the REvil (Sodinokibi) ransomware gang stated that they were considering introducing an auto-email script that would notify stock exchanges, such as NASDAQ, that firms had been affected by ransomware, potentially affecting their stock price. REvil is also looking into stolen data after breaching firms' systems to identify destructive material that may be used to force victims to pay ransoms.

More recently, DarkSide malware declared that it will share insider information about firms operating on the NASDAQ or other stock exchanges with traders looking to short the stock price for a quick profit. The FBI also highlighted numerous examples of ransomware gangs targeting susceptible firms using inside or public information about active merger or acquisition negotiations: 
  • In early 2020, a ransomware actor using the moniker "Unknown" made a post on the Russian hacking forum "Exploit" that encouraged using the NASDAQ stock exchange to influence the extortion process. Following this posting, unidentified ransomware actors negotiating payment with a victim during a March 2020 ransomware event stated, "We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what's gonna (sic) happen with your stocks." 
  • Between March and July 2020, at least three publicly traded US companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations. 
  • A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim's network indicating an interest in the victim's current and near-future stock share price. These keywords included 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and newswire. 
  • In April 2021, Darkside ransomware4 actors posted a message on their blog site to show their interest in impacting a victim's share price. The message stated, "Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in 'Contact Us' and we will provide you with detailed information." 
As per the FBI, paying a ransom to ransomware groups is not encouraged and should be avoided by organizations since there's no certainty doing so would safeguard them against data leaks or future assaults. Paying ransoms encourages the crooks behind ransomware operations to target even more victims and encourages other cybercrime groups to follow their lead and join them in unlawful activities. 

The FBI, on the other hand, realises the harm a ransomware assault can do a firm, as executives may be compelled to contemplate paying a ransomware actor to safeguard shareholders, customers, or staff. The FBI highly advises that such events be reported to their local FBI field office.
Share it:

Cyber Security

data security

Ransom Payment


Ransomware Groups


Sensitive data