The FBI warned businesses Monday that ransomware groups might seek out companies undergoing mergers and acquisitions as potential victims, leveraging potential disclosure of sensitive data tied to deals to push for rapid ransom payment.
It's a new configuration of several old cyberthreats, say experts, and possibly a look at the uglier side of the threat model of new business partners.
"Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash," wrote the FBI.
The period prior to acquisition or merger is sensitive for companies. For most larger transactions requiring a filing with the Federal Trade Commission, both buyer and seller must file forms and provide data about the industry and their own businesses. By law, all information in a merger investigation is confidential, with very strict rules against disclosure. Even smaller deals that do not require FTC review bring the exchange of sensitive, classified information about both parties that, if disclosed, could disrupt the deal or result in a competitive impact.
"We've seen these people targeted before and using it as a point of leverage to try to get ransom payment is not unique, either," said Mark Lance, ransomware negotiator and senior director for cyber defense at GuidePoint Security. "We'll see these threat actors really try to do whatever it takes, and threaten whatever it takes to get that payment."
Indeed, while ransomware actors targeting companies undergoing mergers is a relatively new development, using knowledge of mergers gained after the breach is not, noted several experts. Ransomware groups regularly use corporate news as leverage in negotiations. It also is not the first instance of ransomware groups or affiliates gravitating toward specific victims for more certain payouts. And targeting companies that have announced mergers has long been an APT tactic — infecting a weaker network before it plugs into a more valuable one.
Midnight hour news of breaches have interfered with mergers at least as far back as the Yahoo/Verizon merger in 2017, when the latter knocked $350 million off its purchase price of the former after two mega breaches came to light.
Ransomware groups, including now-dormant REvil and rebranded Dark Side have discussed how to use mergers as a pressure point during negotiations since last year, said Allan Liska, a ransomware expert with Recorded Future. Specifically targeting companies based on potential mergers is much more recent, he said, but is increasingly prevalent.
"If we see an announcement in the Financial Times, we’ll see an increase in scanning activity," said Liska.
Lance said he believed, in his experience, that companies dead-set on being acquired might be willing to pay a ransom quickly to prevent a buyer from changing its mind — though he was also slightly disappointed this was the case.
In addition to ransomware negotiations, GuidePoint also performs network security audits on companies before or soon after mergers to prevent legacy problems from infecting the main corporate network. He said that many companies are completely open to a potential buyer kicking their networks tires. Others, he said, are more restrictive about access until after a deal goes through.
"Either way, you would hope that in organization, if they're being hit by ransomware, and in the midst of some sort of acquisition, that they're going to be forthright about that with the company acquiring them," he said.