If you handle Mergers and Acquisitions (M&A) or Stock Valuations, “heads-up”: the FBI has recently made an announcement that’s relevant to you.

Ransomware continues to plague businesses of all sizes, but according to a recent FBI Private Industry Notification, ransomware threat actors are now specifically researching publicly available information to identify their next targets. Specifically, they are looking for victims with “time sensitivesignificant financial events,” such as mergers and acquisitions (M&A) or stock valuations. What’s their end goal? According to the FBI, “If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.” That kind of disclosure could have an adverse effect on a company’s stock, new investors, and depending on the scale, create issues for M&As.

Ransomware is a legitimate threat

The FBI notification provides a high-level summary of ransomware attacks, explaining how a ransomware attack is typically multiphase, “beginning with an initial intrusion through a trojan malware, an access broker to perform reconnaissance and determine how to best monetize the access.” Ransomware actors/gangs are monetizing their attacks at an astonishing rate.

The goal of reconnaissance is to identify information that is not-publicly available and use that “as leverage during the extortion to entice the victims to comply with the ransom demands”.

The costs of an attack can be substantial. According to the National Security Institute, the average ransom fee requested has increased from $5,000 in 2018 to around $200,000 in 2020.

Outside of the payment and trying retrieve the data, other business impacts to consider are:

  • Loss of business productivity
  • Business-threatening downtime, average of 21 days post-attack
  • Decreased customer profitability
  • Failure to achieve regulatory compliance
  • Paid a ransom but data was never released
  • Ransomware remained on system and struck again

Mergers and Acquisitions

These attacks can have a particular impact on the M&A process. One of the many byproducts of a ransomware attack is public scrutiny, which could make the affected company less attractive to customers, vendors, as well as any prospective buyers. Chase Mabry, Manager with LBMC’s Transaction Advisory Services practice, explained, “At the very least, the ransomware event could directly impact the potential purchase price. Additionally, the event would trigger concerns around data validity and privacy during the due diligence process, leading to additional effort and likely increased fees. Given the sensitivity of documents provided during the diligence process, it is also very important that companies maintain a level of encrypted security when providing data and follow recommended protocols throughout each stage of data transmission and communications to avoid potential ransomware risk therein.”

One prime example of why cybersecurity should be considered in M&A events is Marriott’s acquisition of Starwood Hotels in 2016. In short, Starwood Hotels was breached in 2014, but was unaware that the breach had occurred. Fast forward 2 years to September 2016, the Marriott acquisition is complete. Marriott, having failed to identify the security breach during its pre-acquisition diligence process, connected its network to Starwood and in turn, granted the threat actors access to the Marriott environment. It wasn’t until September 2018, 4 years after the initial breach of Starwood, that Marriott identified and announced the breach. The impacts from that situation were significant:

  • Personal information for 500 million customers worldwide was exposed.
  • Marriott’s stock price dropped 5% after the breach announcement.
  • Marriott was estimated to have lost $1 billion in revenue due to diminished customer loyalty following the incident.
  • Legal costs from a GDPR claim were estimated at $125 million, and in the US, multiple class-action lawsuits were filed, including one for $12.5 billion in damages, or $25 for every impacted customer.

Paying ransoms is still discouraged

Consistent in their message, the FBI continues to discourage business from paying ransomware “[t]he FBI does not encourage paying a ransom to criminal actors.” However, the notice also states, “The FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.” If a company does decide to pay the ransom, like in the recent case with Colonial Pipeline, the FBI is urging companies to report the ransomware incident to their local FBI field office before paying.

Avoid becoming a victim

The FBI also provided a list of “recommendations” that an organization should verify are in place and operating as expected:

  • “Backup critical data The key word here is offline, backups can quickly become part of an incident if they are online and connected to a compromised system or network segment. To avoid this issue, make sure backups are offline when not in use and evaluate additional controls such as implementing threat aware backup software.
  • “Ensure copies of critical data are in the cloud or on an external hard drive or storage device.”
  • “Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides.” One way to accomplish this is by using a Write-Once, Read-Many (WORM) solution; so far, they are not able to be affected by ransomware.
  • “Install and regularly update anti-virus or anti-malware software on all hosts.”
  • “Only use secure networks and avoid using public Wi-Fi networks.” By avoiding networks with unknown security postures, you are removing one attack vector from the ransomware actor.
  • “Use two-factor authentication for user login credentials, use authenticator apps rather than email as actors may be in control of victim email accounts and do not click on unsolicited attachments or links in emails.” This can be a challenging requirement for many organizations, however, at the very least, investigate the feasibility and level of effort it would take to implement this in your organization.
  • “Implement least privilege for file, directory, and network share permissions.” This is a critical security control that often falls apart over time in a company simply because of changing roles and responsibilities. As people’s roles change or they leave the company, their account permissions are not always adjusted or revoked. And from time to time, some users are granted temporary permissions that often become permanent due to lack of resources to ensure permissions granted for a short time are properly revoked.

Ransomware isn’t going away any time soon. As the threat landscape continues to evolve, the proper controls and security practices will have to be adapted to that landscape, and additional controls will need to be considered. Bill Dean, Shareholder and leader of LBMC Information Security’s Technical Security Services, explains, ““Hacking” with ransomware is not the objective of these groups. Ransomware is simply the enabler of their business model. The goal is to generate as much revenue as possible by strongly encouraging the buying decision of the decryption key. Their “product pitch” is threatening operational and branding perspectives of the target organization.”

If you are unsure of your company’s security posture and/or what the impact of ransomware could be, LBMC Information Security’s team of cybersecurity professionals have the background and experience to help you assess your environment.

If you would like more information on the threat of ransomware or to discuss a risk assessment for your organization, contact us today.