Init0

In this month’s Privacy & Cybersecurity Update, we examine the FBI’s warning to companies regarding cyberattacks targeting confidential M&A activity, as well as the Cybersecurity and Infrastructure Security Agency’s directive ordering federal agencies to remediate cybersecurity vulnerabilities. We also take a look at a report by the National Association of Insurance Commissioners showing a steep rise in cyber insurance premiums, New York state’s new anti-robocall laws, newly approved European guidelines for international data transfers and the U.K. Supreme Court’s decision involving a data protection suit.

FBI Warns Companies of Ransomware Attacks Targeting Confidential M&A Activity

The FBI provided guidance to companies regarding the increasing incidence of ransomware attacks directed to accessing material nonpublic information regarding mergers and acquisitions.

The Cyber Division of the FBI issued a Private Industry Notification on November 1, 2021, to address ransomware attacks against both public and private companies.¹ Specifically, the FBI warned of ransomware actors leveraging illicitly obtained material nonpublic information regarding major financial events, particularly regarding upcoming mergers and acquisitions, to extract substantial payments from victims. According to the Private Industry Notification, companies that do not implement adequate cybersecurity protocols run an elevated risk of extortion during particularly significant and sensitive periods of corporate decision-making.

Bad Actors Utilizing Dual-Stage Cyberattacks

The Private Industry Notification notes that as ransomware actors become more sophisticated in their tactics, they are increasingly utilizing a dual-stage approach — blanket reconnaissance followed by targeted strikes.

In the notification, the FBI explains that bad actors typically begin with mass-distributed trojan malware against employees at a wide range of companies. During this initial stage, the bad actors use varied techniques, such as phishing attacks, to gain access to companies’ private networks and then gather information about corporate and financial activity. For example, the FBI noted a November 2020 technical analysis of a remote access trojan called Pyxie RAT that attackers used to run keyword searches for information that would indicate imminent and near-future stock share price changes. Keywords frequently searched include “10-Q,” “10-SB,” “N-CSR,” “NASDAQ,” “MarketWired” and “Newswire.”

During the second stage, bad actors sift through data obtained during the information-gathering stage to identify prime targets for ransomware attacks. Specifically, cyber-attackers select companies for which they have discovered material nonpublic information, such as planned announcements of major corporate decisions or M&A activity. Targeted companies are then subjected to blackmail (a threat to publicly disclose that information unless a payment is made), ransomware (malware that locks up or encrypts the company’s data or systems unless a payment is made), or both. Such second-stage attacks have …….

Source: https://www.jdsupra.com/legalnews/privacy-cybersecurity-update-november-3057155/