Ransomware is one of the most damaging types of cybercrime. As data becomes more valuable, criminals have found they can get bigger paydays by holding it for ransom. These attacks have become frighteningly common and some ransomware gangs are even recruiting company insiders to help them.
Companies that want to stay safe from ransomware must now consider more than just outside threats. The next attack could come from within.
Why Do Ransomware Gangs Want Insiders?
Asking employees for help with a crime seems like a good way to raise alarms, so why would ransomware gangs take that risk? Most of it comes down to insiders making these attacks more likely to succeed.
Many agree that insiders pose bigger risks than outside threats because they already have access to sensitive information—and many companies overlook internal risks. As a result, employees can be a huge help to ransomware gangs if they’re convinced to help. Instead of having to hack past layers of complex security systems, cybercriminals could simply email an employee a file to install on works’ computers.
It may become increasingly difficult to hack into a business when security defenses are so strong. By contrast, humans are just as easily manipulated as ever. Recruiting an insider makes it much easier to perform a successful ransomware attack, which often means a big payout.
Insider Recruiting Methods
Stopping ransomware gangs from getting insiders to do their dirty work starts with learning how they do it. Here are a few of the most common methods.
Phishing or other forms of social engineering account for a large percentage of ransomware attacks, and it’s plain to see why. It’s easier to recruit someone to help with a crime if they don’t know that’s what they’re doing. Ransomware gangs can get employees to install malicious software without them even being aware of it.
These attacks usually come via email or text, often containing a link or attachment that looks legitimate. When the unsuspecting insider clicks it, the file or link installs ransomware on their work device. As a result, it gives ransomware gangs insider access without having to convince anyone to knowingly commit a crime.
Ransomware gangs have become more upfront in recent years, too. According to Bravura Security, a shocking 65 percent of IT professionals say criminals have directly reached out to them or their employees about assisting in a ransomware attack—that’s a 17 percent rise over 2021 levels.
Like phishing, these requests typically come over email, but some ransomware gangs reach out through phone calls or social media. In most cases, they try to convince employees to help by bribing them. Gangs will offer hundreds of thousands of dollars in cash, cryptocurrency, or a cut of the ransom in return for installing ransomware.
Security researchers have also noticed some ransomware gangs try to crowdsource their attacks. Cybercriminals post on public forums or encrypted social platforms like Telegram, calling for people with insider access to contact them. They may even hold public polls about who to target or what data to leak.
These public posts reach a wider audience, potentially boosting the chances of getting insider help. According to Comparitech, an average ransom is over $2 million, ransomware gangs will make more than enough from a successful attack to pay multiple collaborators, too.
Examples of Insiders Assisting Ransomware Attackers
Attacks like this have targeted some of the world’s most recognizable companies. In 2021, AP News reported that a cybercriminal offered a Tesla employee $500,000 to install ransomware on company computers. In this case, the employee reported the incident instead of taking the money, but it highlights the scale of these attacks.
Other companies have been less lucky. In 2019, a disgruntled ex-employee from tech support company Asurion got $50,000 a day from his former employer after stealing data about millions of customers (as per Bitdefender). Law enforcement managed to catch the former worker, but not after the company had already spent thousands in ransom payments.
It’s worth noting that while these attacks have become more common, they’re not necessarily new, either. According to the FBI, a Boeing engineer stole hundreds of thousands of documents between the late 1970s and early 2000s as a recruit for Chinese intelligence agencies. This instance predates ransomware but exemplifies how extreme insider threats working for outside powers can be.
How to Prevent Insider Ransomware Threats
Given the massive risks, companies must do all they can to prevent insiders from working with ransomware gangs. Here are three crucial steps toward that goal.
Create a Positive Workplace Culture
One of the most important measures you can take is to ensure employees are satisfied in their positions. The less an employee likes their employer, the more likely they’ll be to take a bribe from a ransomware gang and help target their company for revenge. Building a more positive workplace minimizes that threat.
Competitive pay is an important part of employee satisfaction, but it’s not everything. A Gallup report shows that just 28 percent of employees cite pay and benefits as the biggest change that would make their workplace great, compared to 41 percent who cited engagement and culture issues. Working with employees to ensure they feel respected, safe, and cared for will go a long way.
Businesses need to train their employees to spot social engineering tactics too. Many insider-related ransomware attacks come from accidents like clicking on a phishing link. The key to stopping these incidents is teaching workers what to look out for.
Spelling errors, unusual urgency, and situations that sound too good to be true are common indicators of phishing. In general, employees shouldn’t click on or respond to any unsolicited messages and never give sensitive information over email.
Implement Zero-Trust Security
Zero-trust security is another essential step in preventing insider ransomware threats. The zero-trust approach treats everything as potentially hostile, requiring verification at every step before granting access to anything or anyone. As part of that, it also limits access so each employee can only see what they need for their job.
These security models are harder to implement than traditional approaches, but they’re the best bet against insider threats. Because even authorized insiders can only access a limited amount of resources, recruiting insiders won’t necessarily make a ransomware attack worth the cost.
Insider Ransomware Threats Are Manageable
The trend of ransomware gangs recruiting insiders isn’t necessarily new, but it’s on the rise. That should be cause for concern, but it doesn’t mean you can’t defend against it.
Insider ransomware threats highlight the importance of limiting trust in cybersecurity. Threats can come from anywhere, even from trusted employees, so it’s best to lock things down as much as possible.