Ransomware operators look for insiders | Kaspersky official blog

When ransomware enters a corporate network, it usually does so through e-mail, software vulnerabilities, or unprotected remote connections. Having an insider deliberately deploy malware seems implausible. However, as real-world evidence shows, some attackers think this method of delivering ransomware is effective, and some attackers are now recruiting company employees by offering them a percentage of the ransom.

A creative delivery scheme

As absurd as it may sound, some seek out accomplices through spam. For example, one message directly offers “40%, $1 million in bitcoin” to anyone willing to install and deploy DemonWare ransomware on their organization’s main Windows server.

Researchers masquerading as interested accomplices received a link to a file along with instructions for launching the malware. However, the person behind the mailing was apparently an inexperienced cybercriminal; the researchers had no trouble getting him to talk. The threat actor in question was a young Nigerian man who had scoured LinkedIn, looking for senior executives to contact. He abandoned his original plan — e-mailing malware — once he realized how strong corporate cybersecurity systems are.

What’s wrong with the scheme?

To convince his targets their participation would be safe, the threat actor claimed the ransomware would erase all evidence of the crime, including any potential security footage, and recommended deleting the executable file to avoid leaving any clues. One might expect the criminal planned to trick his accomplices — arguably, once the server was encrypted, he would not care what happened to the person who did it — but he doesn’t appear to have understood how digital forensics investigations  work.

The decision to use DemonWare also betrayed his inexperience. Although attackers do still use DemonWare, it is actually rather unsophisticated malware whose source code is available on GitHub. The malware’s creator allegedly made it to demonstrate how easy it is to write ransomware.

How to stay safe

Although this example is just that — one specific example — insiders taking part in a ransomware attack is entirely realistic. Far more likely than someone launching malware on a network, however, is a scenario in which someone sells access to an organization’s information system.

The market for access to corporate networks has long existed on the dark web, and ransomers often purchase access from other cybercriminals — so-called Initial Access Brokers. It’s they who may be specifically interested in buying data for remote access to the organization’s network or cloud servers. Ads for such purchases aimed at disgruntled or fired employees float around the dark web.

To ensure no one jeopardizes your company’s security by letting ransomers into its networks, we recommend you:

  • Adopt a strategy of least privilege;
  • Keep careful records of access attempts to the organization’s network and servers, and revoke rights and change passwords when employees are dismissed;
  • Install on every server security solutions that can counter today’s malware;
  • Use Managed Detection and Response solutions, which help identify suspicious activity in your infrastructure before attackers have a chance to inflict serious damage.