Insider Ransomware Groups
By |Published On: March 7th, 2022|8 min read|Categories: Ransomware|

Every organization knows that the threat of ransomware is real, and despite best efforts to keep cybercriminals out, successful attacks continue to make daily headlines. Ransomware is ever evolving and criminal gangs change tactics to continue to successfully extort their victims, so organizations must try to stay one step ahead. In this article we look at some of the new threat trends that IT leaders should be aware of for the year ahead.

Ransomware groups are using increasingly sophisticated technology and infrastructure to carry out attacks while adopting new tactics to pressurize their victims. Many of these new tactics have developed in response to stronger cybersecurity technologies and policies in the workplace. Attackers who can’t successfully infiltrate an organizations systems on their own must enlist help in the form of insiders, a very worrying and real trend that IT leaders need to be aware of.

What Makes Insider Recruiting Different

In a typical modern day ransomware scenario, a core group of developers makes their ransomware solution available as a service. Affiliates then carry out the attacks in exchange for a percentage of the payout. The affiliate’s job is to infiltrate the victim’s network and distribute the ransomware executable. In order to do this the ransomware affiliates rely on a broad range of techniques and tactics. They may exploit technical vulnerabilities in the network or they might use phishing and social engineering to compromise privileged accounts. Often, it’s a combination of multiple approaches.

What we are seeing now is that some ransomware groups have decided to cut affiliates out of the deal entirely, preferring to partner directly with an employee on the inside. LockBit 2.0 pioneered this approach by promising “millions of dollars” to corporate insiders who collude with the group and other ransomware operators have taken notice, and begun to follow suit.

How Insider Recruiting Changes the Threat Landscape

From the perspective of the ransomware group the benefits of this approach are self-evident. Any employee with trusted account privileges can instantly distribute ransomware on the network without having to spend valuable time circumventing perimeter network defenses, and as an added bonus, the criminal gangs are under no obligation to actually pay “millions of dollars” to their accomplices. If the insider gets caught and goes to jail, all the better.

But the temptation to become a ransomware accomplice represents a serious threat, especially to large enterprises with thousands of employees. Now, every user account – including employees, third-party vendors, and even customers – is a potential threat vector. The balance between detection-based perimeter solutions and network prevention has shifted and attackers can breeze through perimeter defenses such as Firewalls as if they’re not even there. The need for effective zero-trust architecture is now greater than ever.

Maximum Pressure: Ransomware Gangs Weaponize Victims Too

Cybercriminals are not just using employees against enterprise targets, they also use victims to apply pressure to larger targets. This tactic shows another side of double extortion, where ransomware groups threaten to publish the sensitive data they’ve exfiltrated. In a typical ransomware scenario, double extortion negotiations revolve around an enterprise target with cybercriminals threatening to release sensitive customer or partner data to extort money from them. This tactic is changing however, as cybercriminals realize they can get better results by talking directly to the people whose data they’ve stolen.

In this scenario, cybercriminals will often reach out directly to victims before the enterprise can alert them to the breach. A scenario which deeply damages the reputation of the target organization and puts considerable public pressure on its security team. Cybercriminals will try to skew facts and blame the organization for not securing its users’ data sufficiently, stoking anger among their victims and directing it towards their targets. This tactic is especially dangerous to public institutions and government agencies. These organizations rely on public trust to function, and ransomware groups can easily erode that trust and manipulate victims how they see fit. These cybercriminals often follow local media coverage to see how the incident is being portrayed. If they think that their target is not being truthful, they will escalate and begin extorting victims to turn the tide of public opinion. This is exactly what happened to the Allen Independent School District in 2021.

The Direct Approach: Radicalizing Disgruntled Insiders

According to a report from Hitachi ID Systems, 65% of surveyed IT and security employees received cybercriminal solicitations in 2021. That’s a remarkable increase from just one year earlier, and its likely to continue growing as the phenomenon becomes more well-known.

In most cases, cybercriminals used email and social media to contact employees, however, just over one-quarter of employees reported receiving phone calls from cybercriminals looking for accomplices. These are bold and direct strategies that try to capitalize on employee antipathy and dissatisfaction. Disgruntled employees have always presented a unique case for insider threats but they have never had access to the kind of support that professional ransomware groups now offer. Ten years ago an angry employee might have deleted their work files on their last day on the job. While not acceptable behavior, this kind of action rarely escalated to a true crisis scenario. Now, that same employee could conceivably hold the entire company to ransom, as was the case with Tennessee-based tech support firm Asurion who made headlines when a disgruntled ex-employee posing as an anonymous ransomware hacker managed to extort them out of $300,000!

The Two-Pronged Approach to Mitigating Insider Risk

There are no silver bullets to protect against insider risks, but organizations can mitigate some of the worst potential damages. Business leaders need to take a two-pronged approach that addresses insiders’ motivations on one hand, and their potential capabilities on the other.

  • Actively Cultivate Office Culture. You can’t promise every employee millions of dollars. If your team only comes to work for the money, cybercriminals will have an easier time manipulating them against you. A positive, security-oriented company culture may be the only thing that prevents employees from becoming accomplices. Insider threats show exactly how valuable a company culture can truly be.
  • Invest in Data Exfiltration Protection. Advanced zero-trust security solutions like data exfiltration prevention prevent users from taking unauthorized sensitive data off your network. This ensures that even a privileged insider wouldn’t be able to exfiltrate and send sensitive data to a cybercriminal group. Prevention-based solutions like anti data exfiltration (ADX) make sure everyone plays by the same rules.

Cybersecurity leaders should treat enterprise networks like the public Internet. No user should have unlimited access to sensitive data, or the ability to exfiltrate data unsupervised. Zero-trust architecture promises that even successful insider attacks are limited in scope and easily remediated, and provides plenty of audit logs as evidence against the insider.

Trusted ADX Vendor

Small businesses and enterprises alike need robust data exfiltration solutions that go beyond detecting the use of sensitive data.

The key to achieving best-in-class organizational cybersecurity is implementing a compatible suite of detection and prevention solutions that work together without impacting usability. BlackFog provides organizations with set-and-forget functionality that prevents data from leaving the network. This significantly improves cybersecurity defenses against a wide range of attacks, from credential theft to ransomware, and more.

Make BlackFog part of your organization’s cybersecurity tech stack and keep your sensitive data safe from exfiltration.

Share This Story, Choose Your Platform!

Related Posts