Ransomware operators are willing to notify corrupt traders of cyberattacks so that they could short companies’ stocks before the attacks are made public.
Financial traders live and breathe by the information they’re able to digest. Indeed, the USP of fintech companies is that they use technologies such as AI to help traders make sense of the huge quantities of data that can influence the movement of a stock. Most of the time, these kinds of companies are harvesting publicly available information, with their value being in helping you to make sense of it all.
Of course, often the most valuable information is not in the public domain at all. Research from the University of Technology Sydney Business School suggests that roughly four times as much insider trading takes place than is actually caught by regulators.
The researchers explain that the US Securities and Exchange Commission generally prosecutes around 50 cases of insider trading each year, but that this is the tip of the iceberg, with insider trading occurring in around 20% of all mergers and acquisitions, and 5% of all quarterly earnings announcements.
Of course, one group of people with potentially highly valuable inside information is cyber criminals, and earlier this year evidence emerged that the hackers behind the Darkside ransomware were looking to partner with equally crooked traders to give notification of the attacks before the victims managed to release the information to the public.
The hackers reasoned that once news of the hacks was released into the public domain, the share price of the victim would fall, thus providing an opportunity for traders to short the stock ahead of the official announcement and make an easy killing.
This is a reasonable assumption to make. After all, the Equifax hack in 2017 resulted in a fall of around 30% in the company's share price. Similarly, customers affected by the SolarWinds attack saw their share price fall by up to 20%.
Research from Edinburgh Napier University found that things are not always so straightforward, however, and that for around 40% of businesses, their share price isn't affected by disclosure of a breach at all.
This doesn't appear to be deterring the Darkside team, however, who stated that they were willing to notify corrupt traders of attacks so that they could short the company's stock before the attack was made public knowledge. They're believed to be the first cybercriminals to explicitly use this as a formal means of making money from each attack.
What's more, the mere threat of leaking the attack to traders could be used to increase the pressure on companies to pay the ransom demand as quickly as possible to minimize not only any negative press but also any financial hit they may take in the markets.
Shady business models
Of course, as I wrote in an article last year, it's by no means certain that a cyberattack will result in a company's share price going down, which is the essence of the shorting business model. Indeed, research from MIT highlights various strategies companies can employ to ensure that doesn't happen.
The paper finds that the reaction of the markets is often a reflection of how professionally the victims approach the attack.
Far and away the worst strategy is to pretend the attack didn't happen, with the taking of minimal remedial actions not far behind.
Indeed, in another article published last year, I argued that reporting attacks early is usually the best approach, as this not only shows that you are taking matters seriously, but it also significantly helps other organizations in your industry and in your ecosystem to take any remedial actions to secure their own systems.
Interestingly, the presence of more legitimate businesses may also work to inhibit the actions of the cybercriminals themselves. In a paper from Harvard, researchers argue that the presence of short sellers in a market tends to discourage those with actual inside information from selling their stock.
The authors suggest that without short sellers in the market, those with inside information will feel confident that they will be able to capitalize on the information they have about the potentially value-destroying event. When short sellers have potentially got access to the same information, however, then they offer competition to the insiders and therefore increase the likelihood that the information will be revealed to the market.
So, it seems that all roads ultimately lead to earlier disclosure of any cyberattack on an organization, which is probably a good thing for all of those on the legitimate side of the fence, even if less beneficial for those seeking to further capitalize on each attack.