Ransomware attackers begin to eye midmarket acquisition targets

It cost the company about $1.2 million to have its systems released, paid to a group suspected of links to the Russian ransomware group REvil, said Richard Peters, a cybersecurity expert at consulting firm UHY LLP. He couldn’t name the company, a client, for confidentiality reasons.

The attack fit an increasingly familiar pattern, as ransomware groups are turning their attention to midmarket acquisition targets, presenting a risk for private equity, venture capital and other deal makers that often invest in such businesses.

“Because of the M&A and because of the publicity around that, it became a better target,” Mr. Peters said. “They’re watching. They know what’s going on in the news as well as any businessman out there.”

While hacks involving large, deep-pocketed targets draw the most public attention, ransomware groups are targeting midsize companies that have, or are about to have, a deep-pocketed owner like a private-equity firm. A newly acquired company typically has access to more ready cash, tends to have less robust cybersecurity, and may offer a backdoor into the acquirer’s systems, Mr. Peters said.

With ransomware attacks surging in recent years, U.S., British and Australian authorities have noticed a shift toward smaller targets over the past year.

After a spate of strikes against so-called “big game” targets such as the 2021 attack on Colonial Pipeline Co., ransomware groups started striking smaller targets, according to a report published in February by the Federal Bureau of Investigation, other U.S. agencies and counterparts in Australia and the U.K.

Midsize companies are a minority of all companies attacked, but their average payout exceeds $1 million, according to a February report by Coveware Inc., a ransomware responder group. Ransomware attackers see them as a stable source of payments without the geopolitical risk that comes with hitting up a major company, Coveware said, citing an interview with a hacker.

Deal targets in particular are “low-hanging fruit,” said Jeremy Swan, a managing principal at advisory firm CohnReznick LLP who works with private-equity managers.

“We’ve started looking at the data, and have definitely seen a correlation between attacks and deal announcements,” Mr. Swan said. “And then attacks concentrated around a portfolio.”

“It’s really been across the board: manufacturing businesses, healthcare businesses, technology businesses, consumer-oriented businesses,” Mr. Swan added.

For private-equity firms that put cybersecurity on the back burner, the effect of a ransomware attack on a portfolio company can be potentially ruinous. If one portfolio company has weak security, attackers might systematically move through a firm’s entire roster, Mr. Swan said.

Ransomware groups have also started targeting the mergers and acquisitions departments of law firms, possibly searching for intelligence, UHY’s Mr. Peters said.

The growing number of attacks linked to private-markets acquisitions are making cybersecurity a far more routine due-diligence consideration, Mr. Peters said. Though cybersecurity considerations tend not to derail deals outright, weak cybersecurity in an acquisition target often leads acquirers to seek remedial measures, he said.

Some investors now are pushing for better cybersecurity practices across their portfolios.

“This housekeeping from a cybersecurity perspective needs to be done—before you’re on the radar, before you announce a large round of capital—because at that point in time, you will become a target,” said Ruth Foxe Blader, a partner at the venture-capital firm Anthemis Group. “We see this emerging risk as something that all companies are going to have to become much more aggressive about.”