{ "id": "fca3d182-a9b3-4698-b606-1a20b1fde5b1", "created_at": "2026-04-06T00:06:15.452811Z", "updated_at": "2026-04-10T03:30:56.986508Z", "deleted_at": null, "sha1_hash": "efbf62dae6c196652537768a3a3e0c7a91d052b0", "title": "Ransomware gang wants to short the stock price of their victims", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 230411, "plain_text": "Ransomware gang wants to short the stock price of their victims\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-26 · Archived: 2026-04-05 13:31:16 UTC\r\nThe operators of the Darkside ransomware are expanding their extortion tactics with a new technique aimed at\r\ncompanies that are listed on NASDAQ or other stock markets.\r\nIn a message posted on their dark web portal, the Darkside crew said it is willing to notify crooked market traders\r\nin advance so they can short a company's stock price before they list its name on their website as a victim.\r\nThe Darkside crew believes that the negative impact of having a traded company's name listed on its website\r\nwould be enough to cause its stock price to fall and for a crooked trader to make a profit.\r\n\"While other ransomware families previously discussed how to leverage the effect of a publicly disclosed cyber\r\nattack on the stock market, they have never made it their official attack vector,\" Dmitry Smilyanets, threat intel\r\nanalyst at Recorded Future, told The Record today.\r\n\"DarkSide becomes the first ransomware variant to make it formal.\"\r\nHowever, the announcement also serves as an indirect method to threaten hacked companies that not paying the\r\nransom demand could result in negative press large enough to impact their market listings and enough to push\r\nsome victims into paying the asked ransom.\r\nThis approach is just the latest in a long list of techniques that ransomware gangs have been adding to their\r\nextortion arsenals.\r\nOther gangs have previously used:\r\ncold-calls to threaten victims that were preparing to restore data from backups\r\ntried making personal threats against the executives responsible for approving the ransom payment\r\nthreatened to notify business partners\r\nthreatened companies with DDoS attacks\r\nthreatened companies that they'd notify journalists about their security breaches\r\nhttps://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/\r\nPage 1 of 3\n\nthreatened to notify privacy watchdog agencies about a breach so the company can get fined\r\nand even sent emails to a victim's clients, asking the customers to put pressure on the company to pay its\r\nransom demand and avoid having the customers' data leaked online\r\nAll of these tactics are usually deployed once ransomware gangs learn that a company whose data they stole\r\nand/or encrypted does not plan to pay the demanded ransom fee.\r\nOnce the original ransom demand is declined, ransomware groups start putting additional pressure on victims with\r\nthe tactics listed above.\r\n\"We have anecdotal evidence that fewer people are paying ransom, which means ransomware actors have to find\r\nnew ways to extort money from victims,\" Allan Liska, a security researcher at Recorded Future specialized in the\r\nransomware landscape, told The Record in an interview today.\r\n\"We saw that with threats of DDoS attacks last year but those didn't really seem to work so they are looking for\r\nother ways,\" Liska added.\r\nHowever, the chances of this new extortion technique working are slim. In a tweet today, Liska said that none of\r\nthe previous ransomware attacks were severe enough to cause long-term damage to a company's market listing,\r\nwith the price taking only small hits for very short periods.\r\nFurthermore, any large short bets are most likely to be picked up and investigated by the Securities and Exchange\r\nCommission or other regulatory bodies, and not many traders are likely to take up Darkside's offer for such\r\nminimal gains and maximum regulatory risks.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nhttps://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/\r\nPage 2 of 3\n\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/\r\nhttps://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/" ], "report_names": [ "ransomware-gang-wants-to-short-the-stock-price-of-their-victims" ], "threat_actors": [ { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433975, "ts_updated_at": 1775791856, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/efbf62dae6c196652537768a3a3e0c7a91d052b0.pdf", "text": "https://archive.orkl.eu/efbf62dae6c196652537768a3a3e0c7a91d052b0.txt", "img": "https://archive.orkl.eu/efbf62dae6c196652537768a3a3e0c7a91d052b0.jpg" } }