October is Cybersecurity Awareness Month, and we’re kicking it off with a reminder that not all threats are external. Threat actors are now soliciting employees to aid in ransomware schemes for a cut of the ransom.
Cyberattacks of all kinds continue to rise, even as governments around the world begin to set regulations and litigate legislation. There has long been a need for governments to get involved, but until there are laws, and repercussions for breaking those laws, cybercriminals will continue to evolve. Threat actors have to change their tactics on a regular basis to stay ahead of whatever law enforcement is focusing on, and they’ve been able to do so with the lack of punishment handed out. Now, though, businesses are taking steps to strengthen their own security, understanding that this is a legitimate threat. Because those defenses are holding their own, hackers are trying something new: soliciting employees of profitable enterprises to deploy ransomware as part of an insider threat scheme.
That’s right, as if business leaders and security professionals don’t have enough on their plates with outside threats, now they have to keep their eyes open for insider threats. Not that insider threats are new, and this tactic isn’t necessarily new either. But this tactic has never been employed so widely, and it’s never been used indiscriminately like it is today. This tactic was previously reserved for major blackmail scandals at large corporations. Now, though, with data being a major driver on the dark web and other black markets used by cyber criminals, information from anywhere and everywhere is welcome.
The revelation of the uptick in this tactic was revealed in August. From KrebsOnSecurity:
“Crane Hassold, director of threat intelligence at Abnormal Security, described what happened after he adopted a fake persona and responded to the proposal in the screenshot above. It offered to pay him 40 percent of a million-dollar ransom demand if he agreed to launch their malware inside his employer’s network.
This particular scammer was fairly chatty, and over the course of five days it emerged that Hassold’s correspondent was forced to change up his initial approach in planning to deploy the DemonWare ransomware strain, which is freely available on GitHub.
“According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Hassold wrote.”
The article goes on to describe how they tied the email to a Nigerian man and that dismissing a threat from West African nations is a mistake. That region is known for perfecting social engineering in cyber crime. That a Nigerian threat actor used a similar technique to solicit employees into helping him deploy ransomware really isn’t so surprising.
This scheme raises red flags and should be setting off alarm bells all throughout the business world. We’ve often recommended third-party security reviews, and this only reinforces the need for an outside party to come in and review your security protocols. What if your employees receive an email like this and it isn’t caught? The company in this case was lucky, the emails were largely blocked and no one took the bait. But not every company is going to be so lucky. In fact, most companies probably won’t be that lucky. We’re in the middle of a global pandemic, there are shortages of everything and people are hurting. All one of these emails has to do is reach one desperate person, and suddenly your entire business is locked down.
Security reviews matter. IAM controls matter. Credentialling matters. Having all of these things functioning in top form is vital to the success and viability of your business. On top of that, this type of attack shows exactly why employee retention matters. The longer someone works for a company, the more loyal they become to that company, especially when they are treated with respect and understanding. High rates of turnover are an indication of a problem and should be analyzed for improvement. Keeping employees happy isn’t the only consideration here, either, it’s also important for managers and co-workers to check in on each other and make sure mental health is monitored. If an employee is struggling for whatever reason, how can you help as a company? Those are the intangibles that matter, when employees feel that they are cared for, trusted and that they can discuss problems with others, it serves as a reason for an employee to stick around. And if they want to stick around, it’s unlikely they will do anything to compromise that.
Hackers are always trying new tactics and revamping old ones. Ransomware continues to be a top cybersecurity threat in a variety of industries. Don’t get caught unaware, make sure your security is reviewed by an expert, that IAM controls are set so that people only have access to functions that are essential for their position, and that the credential requirements for personnel are adequate for preventing credential stuffing. Securing your business should be a top priority in the 4th quarter and looking ahead to 2022.