How do ransomware attackers enlist insiders to deliver malware for them?
Ransomware attackers are now enlisting insiders to deliver their malware. Perhaps it’s because some cybercriminals lack the technical skills necessary to gain access to internal systems and deliver their ransomware themselves, or maybe they just find recruiting insiders to be an easier way to do it. Whatever their motivation, bad actors are now sending emails to organizations’ employees and promising them substantial payoffs if these insiders will deploy their ransomware for them.
With ransom amounts reaching into the millions of dollars, an attacker can promise six- or even seven-figure payouts to an insider recruit and still realize a sizable profit. A disgruntled employee with financial difficulties may jump at the opportunity upon receiving an email from a bad actor looking for help. Fortunately, there are steps employers can take to reduce the likelihood of success for this type of attack.
How do ransomware attackers find insiders to deliver malware?
Identifying and contacting someone on the inside can be easy for a cybercriminal. In fact, some organizations make it too easy by unnecessarily publishing the names, contact information, and even the job titles of some or all their employees on public-facing websites. LinkedIn and other social media platforms can also be rich sources of contact information and employer data. Bad actors frequently use these sources to gather phishing and spear-phishing attack targets, and now they’re providing ransomware attackers with the contacts they need to find inside help.
Once a ransomware attacker finds an insider to deliver malware, how does the attack work?
Once a cybercriminal has identified employees to target, they send an email to those targets, informing them of the intent to launch a ransomware attack against their employers and asking for their help in doing so. The messages will request that recipients respond if interested and may provide multiple methods to contact the sender. Although effective email filters will block many emails of this type, some of the emails will still reach the intended targets. (Typically, these “successful” messages do not include any attachments that might cause them to be blocked.)
Suppose an employee responds and expresses interest in helping to facilitate an attack. In that case, they will be offered a portion of the ransom with payment contingent upon the attack’s success. Criminals may promise these insiders that they will not be caught and assure them that they will take steps to protect them. The bad actor will question the employee regarding access to systems and their ability to install software on the organization’s workstations or servers.
If all goes according to plan and the employee agrees to help, the bad actor will provide instructions for downloading the ransomware package. The cybercriminal may accomplish this through a secure file transfer site. Suppose technical controls at the workplace do not allow the insider to access and download the package. In that case, the employee may be instructed to download it at home or elsewhere and save it to a USB device that the employee can take to work to facilitate the installation.
When it comes to transferring ransom funds, untraceable cryptocurrencies are a cybercriminals’ preferred choice. This choice is primarily due to the benefit of maintaining anonymity, as no legal name or address is required. There are also other benefits, such as the permanence of the transactions, as they cannot be reversed and don’t involve regulated banking systems. It’s a criminal’s dream. They may even offer to pay their insiders using this method. Of course, there is no guarantee that they will deliver as promised even if the attack is successful. In some identified instances of this type of attack, bad actors initially offered a large sum to their helpers, then significantly reduced the amount later.
What steps can I take to prevent or minimize insider ransomware attacks?
As previously stated, emails sent in these attacks often get past filters because they do not have attachments that could cause them to be blocked. Even if filters eventually begin blocking messages sent from a particular source once they’ve been identified as malicious, it’s easy for attackers to quickly acquire new domains and email addresses to enable them again to circumvent technical controls.
Organizations looking for ways to avoid falling victim to this particular attack as well as other variants of phishing and spear-phishing campaigns should consider taking the following steps:
- Unless it’s necessary, avoid posting employee names, email addresses, phone numbers, and job titles on the company’s public websites. This information provides a bad actor with all they need to launch several different attacks, including ransomware attacks.
- Incorporate information into your cybersecurity training program that educates your staff on the dangers of posting too much work-related data on social media sites. Cybercriminals frequently use these sites to collect information. Sites like LinkedIn can also be valuable sources of information for bad actors.
- Provide Human Resources personnel and managers with the training they need to be able to identify disgruntled employees. Develop procedures for engaging with these employees to discuss any issues they may be experiencing.
- Encourage all employees to report any suspicious activities or questionable actions (by their coworkers or others) and provide them with a secure process for making their reports. Assure them that their reports will remain anonymous. Disgruntled employees often complain to coworkers about work-related issues. Those having financial difficulties may discuss them with other employees. HR and/or managers may be able to help these employees resolve issues that otherwise might lead to them accepting a proposal from a cybercriminal.
- Implement Role-Based Access Controls. RBAC is perhaps the most effective technical deterrent to this type of insider attack. RBAC grants employees access only to those physical areas and systems required to perform their duties. Limiting account privileges so that staffers who have no legitimate need to install applications would prevent them from installing ransomware. Once RBAC is implemented and account privileges are restricted, many employees could not assist an attacker even if they wanted to.
Plan and prepare for ransomware attackers enlisting insiders at your organization.
This ransomware attack variant eliminates the need for criminals to defeat technical security controls to gain access to internal corporate systems. Using a target company’s information (often readily available online) paired with social engineering techniques, bad actors make direct contact with employees who may be willing to help facilitate an attack.
The success rate of this approach increases if the potential reward is lucrative and the target employee needs the money and/or holds a grudge against their employer. With attackers circumventing perimeter security in this manner, it is crucial to better educate staffers about the threat and implement more effective technical controls on the inside, including RBAC. Identifying employees who may be susceptible to this type of attack and addressing the issues as warranted can also limit the likelihood that an attack will be successful.
Let BIA be your shield.
For two decades, the experts at BIA have been helping companies keep their data safe. Whether you need help combatting a data breach, handling exiting employees and their data, or protecting company data as it lives on more and more devices in the WFH era, our advisors have a solution for you. Whether ransomware attackers are enlisting insiders from your organization or not, we invite you to arm up with our resources and/or reach out today.