FBI Warns of Ransomware Threats to M&A
The FBI issued a warning focused on the threat from ransomware actors likely to use significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.
The advisory noted that between March and July 2020, at least three publicly traded U.S. companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations.
Prior to an attack, ransomware actors research publicly available information, such as a potential victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.
Mergers, Acquisitions and IPOs: High Stakes
“Mergers, acquisitions and IPOs represent points in time where a business has a lot of money at stake and the choice is stark: Pay $5 million in ransom or jeopardize acquisition of the company for $500 million,” said Oliver Tavakoli, CTO at AI cybersecurity company Vectra. “So, targeting companies immediately prior to such events is one of several approaches to improving the attacker’s bottom line.”
He pointed out that attack groups will try a variety of approaches to maximizing their returns through improved “target selection.” This could be one of the approaches, but it may turn out that attackers could make more money by attacking hospitals and extorting money from them.
“This approach definitely introduces some additional challenges for an attacker—they have to break into a specific target rather than concentrating on one which is easy to break into, and do so by a certain deadline,” Tavakoli said. “IPOs don’t have the same time-bound constraints as they are publicly signaled far in advance of the event, so this may end up being a growing vector.”
Stephen Banda, senior manager of security solutions at Lookout, an endpoint-to-cloud security company, pointed out the combination of a more distributed remote workforce, growing reliance on mobile devices and innovation in ransomware continues to challenge security teams.
“Phishing will remain the primary means that an attacker can use to obtain login credentials in order to gain entry into an organization’s environment,” he said. “Since phishing is so effective, it’s likely that bad actors will double down on evolving these tactics beyond the basics of just email.”
Banda predicted bad actors would continue to target mobile users because there are multiple channels to exploit—SMS, apps, social media platforms—and all these channels offer the attacker effective options for tricking a user into clicking through to a fake login and giving up credentials.
“Attackers also know that employees are most anxious and quick to react to content about an upcoming event, especially while multi-tasking and consuming content on the smaller screens of their mobile devices,” he said.
Tavakoli said the rationale for being selected as a target does not change the strategy which needs to be employed to combat it: You must have reasonable controls in place to reduce the likelihood of an incursion and the ability to detect and stop attacks which bypass those controls.
“It is simply the case that if you’re about to undergo one of these events, you should be on heightened alerts and should consider augmenting your SOC team during the period of time spanning from when the information about the upcoming event is made public and when the event actually occurs,” he advised.
Banda added organizations need to ensure they have a reliable and routine vulnerability assessment and patching program that enables them to close the inevitable gaps that are constantly being exploited by attackers.
“A vulnerability and patch management program must extend to mobile, fixed endpoints and cloud applications and servers, so visibility into these risks has to be obtained,” he said.
FBI Warns Against Paying Ransom
The FBI warned against paying a ransom to criminal actors, as ransom payments can embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware and/or may fund illicit activities.
The advisory also pointed out paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI noted that it understands that, when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees and customers.
“Each business will need to consider the situation it finds itself in and make the appropriate decision,” Tavakoli agreed. “There should generally be a bias toward not paying ransoms—after all, funding a criminal enterprise will overall beget more crime.”
From Banda’s perspective, organizations need a way to be able to project the lost value of not paying ransom—reputation, stock price decline and other determinants—against the lost value of paying a ransom and risking future attacks.
“Without a doubt, the optimal stance to take when confronting a ransomware attack is to be able to tell the attackers to bug off, but we all know this is not always so easy,” he said. “To be able to decide not to pay a ransom, you need full visibility into and control of everything going on in your environment so that you can make risk-based decisions based on accurate information.”
The FBI advisory concluded by noting regardless of whether the organization decides to pay the ransom, the FBI urges individuals to report ransomware incidents to the local FBI field office.
