Skip to main content

Ransomware Groups Turning to Insiders to Help with Attacks

by Chris Brook on Wednesday January 26, 2022

Contact Us
Free Demo

A new survey suggests there's been an uptick in ransomware groups reaching out to employees in hopes they can help them carry out attacks against their company.

While federal governments have made some strides the past few months, ransomware isn’t going away, at least in the near term.

To get their foot in the door at organizations, ransomware gangs are increasingly enlisting the help of employees at the target company. It makes sense; many of them already have the privileged access that attackers seek. If the worker is upset with their job or considering leaving – as many unhappy workers are doing these days - it may not take much convincing by a hacker, either.

According to a new survey, more than half of the companies asked said that either an executive or one of their employees has been approached to help carry out a ransomware attack. The number of those who said they’ve been approached by ransomware gang, 65%, is up from the 48% who claim they were approached just a few months ago.

The survey, carried out by Hitachi ID and Pulse, queried 100 large (over 5,000 employees) North American IT firms from December 7, 2022 to January 4, 2022. A previous survey, carried out by the firms from September 1 - September 23 last year, asked the same question. 83% of respondents said at the time it had become a more frequent occurrence since employees began working from home.

Not surprisingly, attackers used email (59%) more than any other medium (phone call, 27%, social media, 21%) to contact employees. Respondents claimed they’d be compensated for allowing the criminals access. The sums ran the gamut; 30% of those asked said the attackers would send them less than $500,000, slightly fewer, 28% said they’d receive more than $500,000 but in Bitcoin.

The survey doesn't get too specific on details around the communications from attackers - what ransomware gangs in particular reached out, etc. – but does point out that a lot of firms who were approached still wound up getting hit by ransomware. 49% of those approached became victims, even after declining to offer to help, which raises several questions, including how exactly the attacks were carried out and whether they were carried out simply out of spite.

A Krebs on Security report last summer highlighted the lengths some cybercriminals were willing to go to gain a foothold into an enterprise. In that report, an attacker offered a threat researcher, masquerading as an employee, 40 percent of a million-dollar ransom demand if he agreed to install a strain of ransomware, Demonware, on his network.

LockBit, a gang that operates as a ransomware-as-a-service, did a lot of the same last summer as well, allegedly recruiting corporate insiders to help them secure access to networks. After getting access, the group could deploy ransomware.

A ransom note left in the wake of a LockBit infection last summer tried to convince employees to join their cause: "Would you like to earn millions of dollars? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc."

While there’s surely a big difference between the number of employees that have been approached to unleash ransomware at their company and employees that have actually done it, the concept of insider ransomware - and other dangers surrounding insider threats - remains a concern for defenders.

Tags:  Ransomware

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.