Understanding Ransomware Insider Threats

The trope of the burglar comparison in cybersecurity is more than overused. But when we talk about the damage of a break-in, it’s not just picking the lock that’s the problem- we worry about what they’ll steal, what they’ll destroy,  even what they’ll plant (yes, I have an active imagination). What seals the deal on a good heist is always the inside man, the bank clerk, the janitor or even the shareholder with gambling problems. It seems that the ransomware groups are catching up.

Ransomware comes in different shapes, and sizes – whether it be of nation-state origin, competitive attack tactics, or the work of criminal enterprises, the ransomware business is booming, as noted in the recent White House memorandum on cybersecurity. The risk for attackers of being caught is low, and the rewards are enticingly high. The repercussions of the threat have reached our daily lives, making ransomware personal, no longer just following along as the news explodes with stories of threats and attacks. When Colonial Pipeline was hacked by DarkSide just a few months ago, lines at gas stations were long due to a fear of shortage, and gas prices jumped. The mere specter of this kind of attack can send the public into a frenzy, and an organization into a spiral. 

All cybersecurity professionals are aware of the threat of ransomware. And in order to protect customer data and business continuity as much as possible, they stack their network with the latest most cutting-edge technologies the industry has to offer. But what happens when the threat comes from within? 

Want to skip to the point, and learn how to be RansomwareReady™? Request your free assessment here

The latest adoption by cybercrime groups is recruiting employees themselves to help – yes, the call is coming from inside the house. Why break in when someone can prop the door open for you? It’s quite ingenious – social engineering quite easily equips attackers with lists of possible aids. 

Abnormal Security documented an attempt they caught wind of and played along to see which tactics were employed, to find out how it works and who in the organization is capable of carrying out the attack. Among other findings, they found that the attacker (apparently based in Nigeria) wasn’t particularly tech-savvy but that the attachment he requested from our fake persona to execute was indeed ransomware with the intent to extort an amount which proved to be flexible. He piled C-level corporate email addresses from LinkedIn and originally attempted a more classic phishing scheme to no success. With the new phenomenon of Lockbit announcing their RaaS and the fact that all the code for DemonWare is available on GitHub, reaching out directly to possible “assistants” to execute relatively easily attainable ransomware strains has become a completely viable (and frankly quite smart in its simplicity) option to bypass the middleman. 

This is the newest evolution of the ransomware “business,” and has been gaining traction. Only recently,  a Russian national pleaded guilty to attempting to recruit a Tesla employee to plant malware after the employee reported the attempt. But will every employee or consultant come forward and collaborate with the FBI? In Gartner’s Ransomware Defense Life Cycle, the first phase is about preparation, and this is indeed the key to the rest of the stages as well. So how do we equip ourselves in light of a growing array of ransomware strains and business modules? 

Even with the tightest policies and attempts to institute a zero-trust and least-privilege policy, there’s always risk. What-if an internal employee decides to deploy ransomware? How can one detect it before it’s too late? So, as an organization, all that’s left is to test and test again. With actual ransomware strains and actual exploitations. 

Automated security validation is the call of the hour. Knowing where the organization is vulnerable, and reducing the cyber exposure as much as possible. When security professionals have full visibility to the network they can make the right decisions on where to focus remediation efforts in an effective way. This way you can have eyes on your potential insider threat as well as an outside attacker and cover the various ransomware threats. The key is to validate as often as possible, not once a year or once a quarter, but on-demand as needed or desired. Make the switch from pondering what the payout will be to feeling more confident that you’re RansomwareReady™. Validate, remediate, repeat. 

Shift from ransomware aware to Ransomware Ready™ by requesting an assessment today.