FBI warns of ransomware leveraging ‘significant financial events’

PE firms and their portfolio companies are just as vulnerable to these attacks as public companies.

A private industry notification issued by the Federal Bureau of Investigation on November 1 is raising flags about ransomware actors using “significant financial events” to target their enterprise victims.

While all of the four anonymized cases highlighted by the FBI involve publicly traded companies, the bulletin serves as a timely reminder for private equity managers about today’s virulent ransomware threat.

PE firms and their portfolio companies are just as vulnerable to these attacks as public companies. “The vulnerability of PE firms compared to public is really dependent on the company and how public they are during an M&A deal, what the firm delivers and how impactful they are,” said George Ralph, the chief risk officer of IT and cybersecurity consultants RFA. “The Colonial Pipeline attack and the JPS attack that followed are both evidence of the susceptibility of portfolio companies and private companies alike.”

“The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections,” according to the notification summary. “If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.”

Highlighting the risk, a Financial Crimes Enforcement Network report on ransomware trends distilled from Bank Secrecy Act data published last month found that crypto-extortion accounted for $590 million of transactions flagged in suspicious activity reports (SARs) through the first half of this year.

While SARs are merely indicative of suspicion and require further investigation from anti-money laundering and law enforcement professionals, this figure still exceeds the total value of all ransomware payments reported in 2020 by nearly $200 million. At the same time, attempted ransomware attacks are increasing in frequency, with cybersecurity firm SonicWall logging 470 million ransom attacks year-to-date.

Information security firm Palo Alto Networks reported earlier this year that the average ransom payment has hit a record of $570,000, climbing 82 percent from last year.

The FBI notification notes that ransomware is “often a two-stage process” that begins with an “initial intrusion through Trojan malware, which allows an access broker to perform reconnaissance and determine how to best monetize the access.”

While malware campaigns are often mass-distributed, “ransomware targets are often carefully selected from a pool based on information gleaned from the initial reconnaissance,” the FBI said. After identifying the best extortion targets, initial access brokers then sell their recommended intrusion vectors to ransomware gangs on cybercrime underground forums.

Private Funds CFO recently explored the growing trend of PE firms migrating away from virtual private networks over concerns that they are no longer sufficient for enforcing network security in the post-pandemic era.

The FBI did not immediately respond to a request for comment.