Ransomware Gangs are Recruiting Your Employees

Someone with authenticated access to your company’s network and data could be working with a ransomware gang.

Nearly half of organizations reported someone on the inside was approached and recruited to assist in ransomware attacks, according to research from Hitachi ID. It is happening more frequently as employees continue to work remotely.

Why is it happening more frequently? The answer to that question is easy—it’s always about the money, said Kumar Saurabh, CEO and co-founder of LogicHub, in an email interview.

“The top ransomware groups are run like well-organized businesses, and are paying ‘finder’s fees’ to insiders for access is well worth the investment,” said Saurabh.

As long as ransomware continues to be lucrative, criminal gangs will try to recruit insiders to plant malware or open other types of back-door access. One of the best-known examples of such a scheme happened in 2020 when an employee at Tesla was offered $1 million to install malware that would trigger a DDoS attack. During that attack, the plan was for the cybercriminal to gather data that would later be held for ransom.

A Look Inside Ransomware Gangs

Cybercrime is big business, and cybercrime rings behave in the same manner as any successful business operation. Ransomware gangs are no different.

“Ransomware perpetrators operate mostly as part of a sophisticated supply chain containing access brokers, affiliates, infrastructure-as-a-service operators and suppliers,” explained Simon Aldama, CISSP, principal security advisor at Netenrich.

Like other mature industries, ransomware gangs employ sales, marketing, technical support and development professionals. Their goal is to improve profits and market share while sharing intelligence and capabilities.

Legitimate businesses are always on the lookout for the “perfect” employee; almost anyone with a decent LinkedIn profile, for example, has been targeted for new job opportunities. Ransomware gangs also work as “corporate” headhunters, often using ransomware-as-a-service to find employees willing to earn lucrative payouts in return for offering access credentials and more.

LockBit 2.0, as part of their campaign to expand their affiliate program, actively recruited insiders who could give them access to victims’ corporate systems,” said Ekaterina Kilyusheva, head of the information security analytics research group at Positive Technologies, in an email interview. When Accenture systems were hit with a ransomware attack, it was made possible largely because of insider help.

For the insider, the ransomware gang made an offer that was too lucrative to pass up. “Extortionists promise huge amounts as a reward, so an unscrupulous or insufficiently loyal employee, or a person in a difficult life situation, may agree to cooperate,” said Kilyusheva.

The Insiders Working With Ransomware Gangs

Even with a large amount of money dangled in front of them, it is still hard to believe that an employee would willingly hurt their company by doing something illegal. However, in many cases, it’s likely these employees are already disgruntled, reckless or malicious, and doing damage to their organization falls into their personal scheme to do harm.

“The ongoing COVID-19 pandemic also may have had an impact on the prevalence of insider threats,” added Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows. “Millions of people worldwide will have seen their working conditions adjusted to something they may not necessarily agree with or could have even lost their livelihoods. It is realistically possible that these conditions could lead to an increased risk from insider threats which, in turn, could represent an opportunity for ransomware groups.”

Certain personality traits like hostility, narcissism and impulsivity indicative of delinquent behaviors may also play into an insider’s decision to become an accomplice to a ransomware attack.

Keeping Watch for Potential Insider Targets

Organizations must first practice diligence to proactively screen new hires to identify personality and behavioral traits that lend themselves to insidious actions, Aldama pointed out.

Also, developing and operationalizing an insider threat management program as part of any modern cybersecurity strategy will assist in detection, deterrence and response to individuals exhibiting behaviors associated with being “outside the norm.”

Paying close attention to user behavior is an absolute necessity. Behavioral analysis should be combined with automated response processes and procedures to decrease the time it takes to identify and circumvent behaviors outside the normal baseline of activity,” Aldama said. “Such behavioral analysis must be applied to email, identities, devices, infrastructure and applications protecting sensitive data as part of a constant feedback loop.”

But it’s also important to understand that interaction with ransomware gangs might start within corporate communication channels, but once positive contact is made, those communications will continue outside the organization’s network.

“However, you should pay attention to suspicious actions on the part of employees, including violations of information security policies, work at atypical hours, attempts to access systems that are not provided for by the employee’s job functions, access to suspicious resources and attempts to run malicious commands or files,” said Kilyusheva.

In the end, whether insider threats are deliberate, malicious or accidental, the motive(s) shouldn’t matter to security teams.

“Being vigilant about security best practices is more important than ever, including least-privilege access, effective detection and response, preventing lateral spread and traceability,” said Saurabh. “IT teams also need to make sure their security tools are up to the task and can handle, analyze and learn from the enormous amounts of security data that are available.”

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba