Technician holding network cables in data center showing ransomware attacks and insider threat

Why Ransomware Attackers Are Moving Towards Insider Attacks and What To Do About It

The ransomware crisis keeps getting worse. Although cybersecurity awareness is growing, it’s not enough to keep up with hackers. Attacks keep getting bigger, with some of the biggest ransomware attacks bringing in as much as $40 million for the attackers. With each improvement in security practices, hackers are finding more ways to circumvent them.

Unfortunately, this is not a battle that can be won by cybersecurity teams alone— it requires increased cybersecurity awareness on all levels of an organization, from humble interns doing data entry, to CEO’s drafting company best practices. However, updating network architecture can go a long way in terms of containing the damage caused by hacks when they do occur.

To understand the appropriate steps that need to be taken to counter this threat, it’s helpful to have some background on the current state of the ransomware threat landscape.

The evolution of ransomware

Ransomware is snowballing out of control. As hackers profit more and more from their hacks, they are investing into improved organizational ability. The scope and size of attacks is getting worse as their capabilities increase, and cybersecurity spending has to be continuously increased to keep up with the threat.

This is a natural consequence of the rise of cryptocurrency. Cryptocurrency advocates hail the technology’s capacity to increase financial inclusion and provide a hedge against inflation, but the era of anonymous, online payments appears to come along with a “wild west” phase of lawlessness in cyberspace.

The first generation of ransomware focused on encrypting data in order to paralyze an organization. In response, many IT security teams improved their backup procedures, meaning a ransomware attack could be solved by simply restoring all the data on a network.

In response, ransomware hackers began to focus on organizations like law firms, health care providers, and others who store sensitive client data. In this way, even if encrypting data was not enough to pressure victims into paying a ransom, the threat of a data leak could be.

One of the main countermeasures deployed against this kind of threat is encryption. By encrypting data, even if hackers gain access to the database, they can’t use the data contained within it as leverage to blackmail their victims.

Still, the profit potential is so high, ransomware gangs somehow keep finding new attack vectors.

The human factor

“Insider attacks” technically refer to any unauthorized access by an attacker that occurs because of an action by someone inside of a company. Most insider attacks are caused by phishing, where an employee inadvertently clicks a malicious link or opens an email attachment containing malware.

This has led many companies to take phishing awareness training much more seriously. If employees understand the dynamics of phishing attacks and are familiar with the latest techniques, they are far less likely to fall into traps.

In response to tightening security, it appears that ransomware hackers are adopting new methods. One gang, Lockbit 2.0, is now offering millions of dollars to employees who are willing to help them gain access to a network.

If hackers are able to contact a disgruntled employee and convince them to work with them, even the best cybersecurity defenses in the world will fail. This presents yet another challenge to already struggling cybersecurity teams.

Countering potential insider threats

Receiving the equivalent of several years’ salary could be very enticing to some unscrupulous employees. So what can organizations do to minimize this risk?

Usually, the fundamental assumption when it comes to cybersecurity is that threats will be coming from the outside. However, it’s always a good idea to plan for the worst, and hope for the best.

Many of the same security measures that can prevent insider attacks can also reduce the total damage done by hackers, so it’s definitely a good idea to incorporate them into any security strategy.

  • Principle of least privilege. There are a limited number of users on any organization’s network who have the capacity to cause a catastrophic cyberattack. It’s very important to keep that number as small as possible, and to know exactly who they are. The lower the number of users with administrative privileges, the less attack surface there is for hackers to take advantage of. The level of account privileges each user needs may change periodically, so it’s a good idea to conduct regular audits and make sure all privilege levels are set to the appropriate level.
  • Monitoring and detection. It’s a standard practice to monitor internet facing ports for unusual activity, but it can also be a good idea to monitor internal activity, too. Outsourcing this to a managed detection and response (MDR) service can be a good way to detect and stop insider attacks, malicious or otherwise, early.
  • Prevent lateral spreading. Compartmentalized network architecture can also significantly reduce the scope of ransomware threats, including those initiated by insiders. By dividing segments of the network and restricting movement between them, user privileges can be more targeted for those who need them, limiting the number of users on a network capable of triggering a catastrophic attack.
  • Traceability. A malicious employee trying to strike it rich by working with a ransomware gang may access computers or infrastructure beyond their own workstation. Requiring that users be logged in and use one time passwords (OTPs) for important actions makes any malicious actions traceable, thus acting as a deterrent.
  • Positive organizational culture. Ideally, the workplace should be somewhere that people like to be. A positive workplace culture not only improves productivity, it also means that employees want to continue working there, and won’t even think about betraying their employer.

Implementing a few of these simple features can make life much more difficult for ransomware hackers looking for unscrupulous employees to partner with.