Ransomware gangs begin to attack corporate financial activities

The US Federal Bureau of Investigation (FBI) warned that ransomware groups are using financial risks as a threat to attack listed companies and threaten to pay ransoms.

In an alert issued this week, the FBI stated that the attacks in the past year have shown a new trend in which threat actors will use them as attacks when major and sensitive financial incidents are about to occur in the company. Objectives, such as quarterly earnings reports and SEC filings, initial public offerings of stocks, corporate mergers and acquisitions activities, etc. The purpose is to threaten the target if they do not pay, it will leak the stolen information related to these incidents, thereby increasing the intensity of blackmail.

The FBI pointed out that any event that may affect the victim’s stock price, such as company mergers and acquisitions, will attract ransomware attackers to attack them.

Security personnel pointed out that this is a very smart strategy. Criminal organizations have now realized that by targeting companies that are in a critical period of growth, it is likely to greatly increase the destructiveness of the attack. Any company that does not defend against this kind of attack has a great security risk.

Attack on stock prices

Last year, a ransomware attacker named “Unknown” (supposedly the former leader of the REvil group) seemed to be the mastermind of this method. He suggested on the Exploit Russian hacker forum to prompt the target to deliver a ransom. The way is to check their companies on the Nasdaq Stock Exchange.

Soon, some people followed this suggestion. After this post, an unidentified ransomware attacker negotiated payment with a victim in the March 2020 ransomware attack and said: “We have noticed that you have stocks. If you do not negotiate with us , We will leak your data to Nasdaq, and we will see what happens to your stock.”

Also last year, at least three US listed companies involved in merger negotiations have been attacked by ransomware. In addition, the FBI said that technical analysis of the Pyxie remote access Trojan (as the first stage of the attack will eventually deliver the Defray777/RansomEXX ransomware) technical analysis revealed several searches for financial-related keywords.

These keywords include “10-Q”, which refers to the quarterly report that all listed companies must submit to publish financial-related information; “10-SB”, which is a small business securities that is intended to be traded on US exchanges And “N-CSR”, which is a form that must be submitted within 10 days after the company releases its annual and semi-annual reports to shareholders. Other keywords include Nasdaq, MarketWired and Newswire.

According to the FBI, in April, the DarkSide ransomware group (the FBI accused the group of launching an attack on the Colonial Pipeline) issued a plan to use the victim’s stock price as a bargaining chip for blackmail and to teach others how to do it. Do these things.

The group said that now our team and partners have encrypted the information of many companies trading on the Nasdaq and other stock exchanges. If the company refuses to pay, we are prepared to release the information before the company releases the information, so that it is possible to make a profit from the changes in the stock. Please write to us in time and we will provide you with detailed information.

Security experts pointed out that companies should now maintain a high degree of vigilance when going public, executing mergers or acquisitions, or experiencing other major financial events, and strictly control the release of information, including some public information, of course.

He pointed out in an email that in these types of attacks, companies should be very vigilant and promptly invite third-party penetration testers to conduct a thorough risk assessment and find security vulnerabilities that are vulnerable to criminals. They should always ensure that the information they release to the public can be effectively controlled, and sensitive financial or other data should be encrypted and backed up to another safe location. Perhaps two-factor and multi-factor authentication can help them protect the security of their accounts.

At the same time, security experts also suggest that the most important defensive action a company can do is to invest in the establishment of a cyber security team.

He said: “In the current cyber attack environment, company security is becoming very important. We need to find the next generation of network professionals to let them join the battle, otherwise this threat attack will only continue to grow.”

The evolution of Hello Kitty’s blackmail strategy

Destroying stock prices specifically is not just the only feature of emerging ransomware. Last week, the FBI stated that the Hello Kitty cybercriminal gang (aka FiveHands) has added distributed denial of service (DDoS) attacks to its tactical portfolio of “urging companies to pay ransom.”

The FBI warned in an alert on Friday: “Hello Kitty attackers usually use double-ransomware attack techniques to put pressure on victims. This means that if the ransom is not paid, they will encrypt important files and exfiltrate information. And make it public. It added that in some cases, if the victim does not respond quickly or pay the ransom, the attacker will launch a DDoS attack on the victim’s company’s website.

Hello Kitty became famous all over the world for CD Projekt Red, the game developer who attacked Cyberpunk 2077 with ransomware earlier this year. It usually customizes its ransom requirement based on the characteristics of the target network, and uses stolen credentials or known (patched) vulnerabilities in SonicWall products to access the corporate internal network.

The use of DDoS has increasingly become part of the so-called “quadruple blackmail” attacks. Last year, the SunCrypt Ransomware Group aroused the affirmation of REvil’s senior management because it first proposed this idea.

The Links:   LM215WF3-SDDV PD050VL1

Related Posts