The Ransomware Insider Angle

The trope of the burglar comparison in cybersecurity is more than overused. But when we talk about the damage of a break-in, it’s not just picking the lock that’s the problem- we worry about what they’ll steal, what they’ll destroy,  even what they’ll plant (yes, I have an active imagination). What seals the deal on a good heist is always the inside man, the bank clerk, the janitor or even the shareholder with gambling problems. It seems that the ransomware groups are catching up.

Ransomware comes in different shapes, and sizes – whether it be of nation-state origin, competitive attack tactics, or the work of criminal enterprises, the ransomware business is booming, as noted in the recent White House memorandum on cybersecurity. The risk for attackers of being caught is low, and the rewards are enticingly high. The repercussions of the threat have reached our daily lives, making ransomware personal, no longer just following along as the news explodes with stories of threats and attacks. When Colonial Pipeline was hacked by DarkSide just a few months ago, lines at gas stations were long due to a fear of shortage, and gas prices jumped. The mere specter of this kind of attack can send the public into a frenzy, and an organization into a spiral. 

All cybersecurity professionals are aware of the threat of ransomware. And in order to protect customer data and business continuity as much as possible, they stack their network with the latest most cutting-edge technologies the industry has to offer. But what happens when the threat comes from within? 

Want to skip to the point, and learn how to be RansomwareReady™? Request your free assessment here

The latest adoption by cybercrime groups is recruiting employees themselves to help – yes, the call is coming from inside the house. Why break in when someone can prop the door open for you? It’s quite ingenious – social engineering quite easily equips attackers with lists of possible aids. 

Abnormal Security documented an attempt they caught wind of and played along to see which tactics were employed, to find out how it works and who in the organization is capable of carrying out the attack. Among other findings, they found that the attacker (apparently based in Nigeria) wasn’t particularly tech-savvy but that the attachment he requested from our fake persona to execute was indeed ransomware with the intent to extort an amount which proved to be flexible. He piled C-level corporate email addresses from LinkedIn and originally attempted a more classic phishing scheme to no success. With the new phenomenon of Lockbit announcing their RaaS and the fact that all the code for DemonWare is available on GitHub, reaching out directly to possible “assistants” to execute relatively easily attainable ransomware strains has become a completely viable (and frankly quite smart in its simplicity) option to bypass the middleman. 

This is the newest evolution of the ransomware “business,” and has been gaining traction. Only recently,  a Russian national pleaded guilty to attempting to recruit a Tesla employee to plant malware after the employee reported the attempt. But will every employee or consultant come forward and collaborate with the FBI? In Gartner’s Ransomware Defense Life Cycle, the first phase is about preparation, and this is indeed the key to the rest of the stages as well. So how do we equip ourselves in light of a growing array of ransomware strains and business modules? 

Even with the tightest policies and attempts to institute a zero-trust and least-privilege policy, there’s always risk. What-if an internal employee decides to deploy ransomware? How can one detect it before it’s too late? So, as an organization, all that’s left is to test and test again. With actual ransomware strains and actual exploitations. 

Automated security validation is the call of the hour. Knowing where the organization is vulnerable, and reducing the cyber exposure as much as possible. When security professionals have full visibility to the network they can make the right decisions on where to focus remediation efforts in an effective way. This way you can have eyes on your potential insider threat as well as an outside attacker and cover the various ransomware threats. The key is to validate as often as possible, not once a year or once a quarter, but on-demand as needed or desired. Make the switch from pondering what the payout will be to feeling more confident that you’re RansomwareReady™. Validate, remediate, repeat. 

Shift from ransomware aware to Ransomware Ready™ by requesting an assessment today. 

Written by: Roni Shandalov Elzam
Show all articles by Roni Shandalov Elzam
Learn more about automated security validation
Resource center
Get blog updates via email
Trending
Four steps the financial industry can take to cope with their growing attack surface
Four steps the financial industry can take to cope with their growing attack surface

The financial services industry has always been at the forefront of technology adoption, but the 2020 pandemic accelerated the widespread use of mobile banking apps, chat-based customer service, and other digital tools. Adobe’s 2022 FIS Trends Report, for instance, found that more than half of financial services and insurance firms surveyed experienced a notable increase […]

The elephant 🐘 in the cloud
The elephant 🐘 in the cloud

As much as we love the cloud, we fear it as well. We love it because cloud computing services of Amazon, Azure, and Google have transformed operational efficiency and costs, saving us money, time, and alleviating much of the IT burden. We also fear it because as companies moved to the cloud, they found that […]

A new era of tested Cloud Security is here
A new era of tested Cloud Security is here

Cloud computing has fundamentally changed how we operate. It’s efficient and scalable, but it’s not without some problems. Security is the biggest. As we’ve shifted to the cloud, we’ve exposed ourselves to new risks that can’t be ignored. The IBM Cost of a Data Breach 2023 Report points out that 11% of breaches are due […]

Learn more about our platform
Platform