Brazen ransomware groups are continuing to seek out new avenues to rake in profits and ratchet up pressure on victims. In one of the latest such developments, the DarkSide ransomware group is openly coaxing stock traders to reach out and receive the inside scoop on the gang’s latest corporate victims, so they can short sell their stock before any data is leaked and the news goes public.
An entry on the DarkSide Leaks site dated April 20 states: “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”
The threats actors potentially could benefit in two ways. If any unscrupulous traders were to take DarkSide up on its offer, the ransomware gang could potentially charge them a handsome sum for this inside information. And if enough traders were to engage in short selling, the company’s stock price could drop artificially through manipulation – a consequence that victims that extorted organizations might try to avoid by simply paying the ransom.
Brett Callow, threat analyst at Emsisoft, told SC Media he suspects the second scenario is more likely what the attackers have in mind when they posted the offer online. Either way, he is not aware of any other ransomware group using this apparently novel tactic.
“In recent months, ransomware groups have been looking for new ways to pressure their targets into paying, from publicizing attacks via Facebook ads to reaching out to customers and asking them to contact the breached company to insist that it take action to protect their data – in other words, that they pay the ransom,” said Callow. “Given that, it’s not at all surprising to see a group experiment with this strategy. I suspect their intention is not to obtain money from unscrupulous traders, but rather to scare future victims into settling quickly in order to avoid the possibility of their stock being shorted. I doubt that the strategy will be successful or be emulated by other groups, but time will tell.”
But how much impact could such insider trading activity actually have on a company’s stock viability in the eyes of the investment community?
“From a credit standpoint, stock movements are usually temporary and any advance notice traders could receive from hackers gets washed out in the end when the rest of the market finds out,” said Leroy Terrelonge, assistant vice president and cyber risk analyst at Moody's Investors Service, and Moody's Senior Vice President and Tech Analyst Gerry Granovksy, in a joint statement.
Also, investors have good reason not to trust cybercriminals in the first place.
“Moody’s Cyber Risk Group has spoken with several organizations that have fallen victim to ransomware gangs over the past few years, and there is often a large discrepancy between ransomware gangs’ claims and reality. Customers of these cybercriminals are likely to be disappointed they won’t get quite the return on investment they imagine,” the Moody’s executives noted.
If anything, the more serious impact on finances and credit rating would be from the breach itself, and would depend on its size and scope, Moody’s noted. “We have seen wild swings in equity markets due to disinformation campaigns, but these are typically short-lived and securities prices return to pre-disinformation levels as soon as the correct information filters through the market,” Terrelonge and Granovksy said. “If fundamental drivers of credit are impaired by the cyber incident, however, that could result in a lowered credit rating.”
The DarkSide group has been known previously to engage in quirky behavior. In October 2020, it was reported that the cybercriminal gang had donated a percentage of the funds it extorted from victim companies to charitable organizations.