Loyal Worker or Ransomware Mule? How Organizations Can Contain Insider Threats

essidsolutions

During July and August 2020, Russian national Egor Igorevich KriuchkovOpens a new window contacted and held several meetings with a former colleague working at the Nevada office of a U.S.-based multinational company. The motive behind the meetings was to recruit the employee to plant malicious software into the company’s computer network. Kriuchkov offered him $1 million in Bitcoin for the job. Once the employee had planted the malware, Kriuchkov and his associates planned to exfiltrate critical data from the computer network and then threaten to dump it online if the company refused to pay the ransom.

Stealing critical data during a ransomware attack and using it to intimidate companies into paying hefty ransom is becoming a norm. As per industry estimates, half of the ransomware attacks in 2020 involved data exfiltration in some form. Threat of data leak puts organizations in a spot as it can damage their reputation, tank stock prices, lead to heavy penalties from data protection authorities and even potential class-action lawsuits.

Typically threat actors use phishing emails, malicious attachments or bogus web pages to trigger a malware attack. However, given the uncertainty of success in a remote attack, threat actors are always looking for more targeted attack vectors. Recruiting employees who have direct access to their company’s computer networks provides them with higher odds of success. Even though threat actors may have to pay the insider thousands or even a million dollars, as we saw in the Nevada case, to betray their employer, they can easily recover that by making hefty ransom demands exceeding seven digits. 

“Spreading ransomware through phishing campaigns is a numbers game. Not every company will take the bait, but some small percentage end up getting infected and paying the ransom. If hackers want to focus on a very specific target, using company insiders might be a more effective and quicker way for them to defeat security defenses,” says Peter Tsai, Head of Technology Insights at essidsolutions Ziff DavisOpens a new window .

Though the practice of using mules to plant malware isn’t entirely new, its use by ransomware actors is fairly recent and a matter of significant concern, according to security experts.

“It’s hard to know for certain how prevalent this is; however, we can say that this is a relatively new development in the toolbox of ransomware attackers. We shouldn’t be surprised since ransomware attackers are always looking to innovate their attacks, and insider threats like this are a long-term concern for cyber defenders,” warns Christopher Budd, Senior Threat Communications Manager at Avast.

Learn more: Spyware: How They Impact Enterprises and How to Spot an Infection

How Attackers Recruit Mules

Unlike the Nevada incident, in which the threat actors met the insider in person to recruit and plan the attack, threat actors are usually more discreet. They can be found lurking behind job postings on the DarkWeb, looking for corporate insiders willing to share company secrets or plant malware for a few Bitcoins. However, attackers are now venturing beyond Dark Web to find and recruit mules as law enforcement authorities have had a fair amount of success in recent times when it comes to cracking down on Dark Web marketplaces.

A case in point is LockBit 2.0, a hacker group that offers ransomware-as-a-service. The group reportedly leaves solicitation messages for insiders in the desktop wallpaper on systems encrypted with the malware. They are offering millions of dollars to corporate insiders who have access to internal accounts and can provide login credentials for VPN (virtual private networks), RDP (remote desktop protocol), and corporate emails, giving attackers access to the company network. Insiders are also asked to open an email sent to them and launch the virus on any computer in their company. This would give attackers remote access to the company network.

Cybersecurity company Abnormal SecurityOpens a new window recently identified and blocked several emails sent to their customers’ systems soliciting their employees to trigger an insider attack on their companies’ networks with ransomware. These emails are believed to have been sent by attackers with links to the DemonWare, a Nigerian ransomware group.

Brian Stack, Vice President of Engineering & Dark Web Intelligence at Experian Consumer Services, writes in a blog postOpens a new window , “Recruiting of disgruntled employees or those looking to make a quick buck is not restricted to ransomware. The Dark Web has been recruiting people for years to monetize the data and access they have.” Opens a new window

In addition to emails and job postings on Dark Web, attackers have also started casting nets on social media platforms, including encrypted messaging services. According to CheckPoint Research, Telegram channels such as ‘Dark Jobs’ and ‘Dark Work’ are very popular among threat actors looking to recruit disgruntled employees.

Learn more: 5 Steps to Prepare an Effective Threat Intelligence Plan 

Are Organizations Ready For Insider Threats?

It can be tricky for an organization to differentiate between an attack triggered by an unsuspecting employee and one carried out by a mule. Stack points out that companies should look within as disgruntled employees should never be overlooked. Depending on their position, they may have the keys to your proverbial castle, whether payroll information, intellectual property, or access to crucial system endpoints.

A recent surveyOpens a new window by Ponemon Institute shows that insider threats rose by 47% between 2018 and 2020, while the cost of insider threat incidents increased by 31%, from $8.76 to $11.45 million during the period. Though the Ponemon report mainly focused on insider negligence and credential thefts, it emphasizes the fact that most companies are still not fully prepared to deal with insider threats. 

“Hackers hiring company insiders to spread malware is troubling for IT professionals tasked with securing networks. They might already have security measures in place to guard against external threats, but their employees already have a degree of access to company resources,” cautions Tsai.

Tsai believes companies that already highly restrict access to sensitive resources are more secure against insider threats. “Still, IT departments might have to ramp up use of monitoring tools if these types of insider breaches become more commonplace,” he adds. 

According to essidsolutions’ recent Future of Remote Work reportOpens a new window , only 22% of companies with flexible work policies currently use tools designed to monitor remote employee activity. Opens a new window

Using these tools may result in backlash from employees or privacy advocates, which is why companies should be upfront and transparent about them.

Learn more: Penetration Testing in Action: A Step-by-Step Guide to Get It Right

What Can Be Done To Thwart Attacks From Inside?

Apart from Tsai’s suggestion to ramp up the use of system monitoring tools, companies can do more to protect their networks from insiders waiting for the right moment to sneak in malware.

Some experts feel the use of tools such as EDR (Endpoint Detection and Response) and MDR (Managed Detection and Response) can improve threat detection and nip malware in the bud.  

“Solutions like EDR and MDR are capable of detecting such attacks in the middle of the kill chain, however ransomware has a relatively short life period inside of the corporate network, which means that security teams have to be able to detect and stop these attacks fast. This is achieved mostly via specific training for SOC (security operations centre) staff, and/or via adding outsourced staff to your SOC specifically for this task,” advises Konstantin Sapronov, a security expert at Kaspersky.

Avast’s Budd opines, as this is new, it’s hard to know for sure how these attacks might play out. At its heart, this is a variation on the classic “insider threat” risk, and so tools and best practices that can mitigate that threat would apply here.

“Strong logging of access can help identify how an attack began. In terms of prevention, another tactic that prevents insider attacks is limited permissions and access,” he adds.

Sapronov feels it is essential for organizations to have access to relevant threat intelligence since it efficiently distinguishes ransomware attacks from other types of intrusions. 

Conclusion

Fortunately for the Nevada-based company, mentioned earlier, the employee decided to take the matter to his superiors, who alerted the authorities. Not only the attack was averted, but the FBI also managed to arrest Kriuchkov after surveilling his subsequent meetings with the employee. However, not all employees are always loyal to the company that employs them. The risk of an attack from inside by a mule is very much real, and denying it or delaying measures to deal with it can only heighten the risk of a ransomware attack.  

Do you think insiders with access to computer networks pose a serious threat to companies? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA