News that a ransomware gang solicited Abnormal Security customers to become accomplices in an insider threat ransomware scheme highlight the risk associated with untrained or disgruntled employees.
In a Thursday blog post, Abnormal Security researchers said the threat actor told an employee that if they could deploy ransomware on a company computer or Windows server, the group would pay $1 million in bitcoin, or 40% of the presumed $2.5 million ransom. According to the researchers, the threat actor told employees they can launch the ransomware physically or remotely. Both Outlook email account and a Telegram username were provided for those interested.
The emails alleged to come from a threat actor with ties to the DemonWare ransomware group, which has been around a few years and has also been known as Black Kingdom and DEMON.
While there’s not a case that’s publicly known where a trusted inside employee accepted a bribe to launch ransomware, Roger Grimes, data-driven defense evangelist at KnowBe4, thinks that the scenario described by Abnormal Security has happened before — and not just once.
The reality is that "$400,000 to $1 million bribes are hard for people to pass if they think they cannot be caught,” Grimes said. “There are just some individuals who weigh the risks, are perhaps disgruntled for being passed over, ignored or underpaid, and do it. It’s the same financial equation that every real-world spy has ever considered before they started passing information to foreign governments, and I think betraying government military and intelligence secrets is probably a harder ethical boundary for more people to get by than simple financial crime with very little patriotic interests involved.”
That said, while organizations should worry about trusted insider threats, more than 50% of all ransomware attacks come from trusted, well-meaning, employees who were tricked by social engineering. Niamh Muldoon, global data protection officer at OneLogin, said prior to this attack, the threat actor used LinkedIn to collect target email addresses and leverage social engineering techniques to compromise accounts.
“This is a prevalent tactic in today’s digital transformation age, requiring individuals to be vigilant about protecting their digital identity and information assets,” Muldoon said. “Personal assessments of high value and/or high profile individuals need to focus on keeping their clients security-aware, implement clear processes on how to deal and report phishing, and implement technical controls to reduce associated risks from materializing.”
Of course once inside, attackers often need to test the company's network security protocols to delve deeper into assets. In other words, a successful ransomware attack typically showcases multiple security failures that go beyond any one employee.
“Ransomware gangs count on the presence of bad cyber hygiene in the form of unmitigated vulnerabilities, such as the Microsoft Exchange vulnerability, once they gain network access via an insider," said Yaniv Bar-Dayan, co-founder and CEO at Vulcan Cyber. "This makes an effective vulnerability management program critical, he said. "A risk-based approach to remediation orchestration for cloud and application environments and traditional network infrastructures is essential. It’s a difficult job, but essential for real defense against ransomware attacks."