Dangers from within – The Ransomware affiliate system

Ransomware - internal threat

The number of companies being affected by ransomware continues to grow worldwide. Ransomware gangs have been able to obtain significant payouts from companies in exchange for unlocking encrypted files or not publishing confidential data online. Such ransomware is typically deployed on a network through phishing, vulnerabilities or social engineering attacks.

Once a machine is infected the malware attempts to distribute itself across the network specifically targeting servers and file storage devices. The infection process can be very stealthy with no obvious signs that anything has changed until it’s too late. Once an organization becomes aware of this type of attack they are faced with two options: either spend time trying to remove the virus manually or paying up-front to get their system back into working order. In many cases organizations choose to pay the ransom rather than risk losing sensitive information.

However as companies become more aware of the importance of protecting themselves against cybersecurity threats, ransomware gangs are turning to more effective attack vectors: people.

The evolving landscape of Ransomware

It has long been known that the number one cybersecurity threat to a company is its people. People are the weakest link in any security chain, and they can be exploited by cybercriminals who want access to your data or money.

In recent years, ransomware gangs have started offering commission and affiliate revenue to attract people who can provide internal network access and install their malware. Promises of large commission payouts can be very attractive to a disgruntled employee or a rogue staff member looking for a big payday.

For ransomware gangs, recruiting an affiliate can provide a mechanism that bypasses the need to engage in phishing attacks, penetration attacks, and social engineering. Ransomware gangs love minimal work, so this is a win for them.

To recruit affiliates, gangs will often offer a cut of the money from successful attacks. They may also make it very easy for affiliates to get started by making them a set of tools, such as an exploit builder and packer, along with the Ransomware itself. This way, they can quickly get going without having any programming skills or knowledge.

Affiliates may be required to provide “proof of work” to demonstrate that they have already successfully installed malware on a victim’s network before being offered access to the backend control panel where they can choose their target and start generating revenue through ransoms paid.

The growing cybersecurity threat to companies: Internal

The affiliate ransomware attack scenario is most likely conducted by a staff member, contractor, or someone who has direct access to the internal network. A disgruntled employee is a likely candidate as they have both financial incentives and malicious intent.

This person needs to inject the malware onto a machine for it to propagate and take control of the network. This is where internal cybersecurity controls will be tested to the limits. Does your company have robust antivirus software? Is the company able to detect and prevent any privilege escalation attempts?

Any cybersecurity controls must be able to detect the infection. If not, the Ransomware will encrypt all files on the network in a short time frame.

It can be tough to detect the origin of this type of malicious attack because the perpetrator may opt to release the malware from an unattended workstation or have enough IT knowledge to bypass local workstation controls.

This is where cybersecurity teams may need to rely on their incident response team’s investigatory and intelligence skills.

Next-generation Ransomware

The LockBit group recently announced a new version of their ransomware malware, LockBit 2.0. This new-generation Ransomware includes new, improved “encryption speed and self-spread function.” Recruited affiliates need only deploy the malware to a server, and LockBit 2.0 will do the rest.

LockBit 2.0 also offers a “profit forecast” function so affiliates can see how many people they need to infect and what return on investment (ROI) they will receive, considering the payout thresholds.

The software has been designed to make it as easy as possible for a recruited affiliate to deploy, with just a few clicks required.

Protecting your company from internal threats

Several important controls should be implemented to protect a company from internal threats:

  1. It is essential to run background checks against prospective employees and interview referees. This is often overlooked, especially when there is an urgency to fill a vacant position, but taking the time to screen candidates should not be dismissed.

  2. Advance notice of cybersecurity policies – make sure your employees are aware of cybersecurity best practices, especially regarding the sharing of sensitive company data. For example, prohibiting external hard drives is a security best practice that will help prevent an unauthorized copy or disclosure of information.

  3. Regular cybersecurity training – another critical aspect is cybersecurity awareness training for all staff. Staff should be trained never to leave a workstation unattended in an unlocked state. For their protection and that of the company, staff should always lock their computer when leaving the desk. It is also vital that employees are aware of phishing schemes. Never open an email attachment or link from an unknown source. Most importantly, never click on a link in an email without verifying its authenticity with the sender first, even if the email appears to come from someone within your organization.

  4. Make sure all workstations have adequate antivirus and cybersecurity software protection installed. Products such as CrowdStrike Falcon are considered next-generation cybersecurity products that protect against malware, protect against intrusion, and inappropriate use. This software needs to be robust and configured to be tamper-proof.

  5. A staff person that the company is dismissing should have all access rights removed immediately and be physically escorted from the property.

If a cybersecurity solution is unavailable, be sure to backup all important and sensitive data on an ongoing basis. This will enable you to recover your files if they become encrypted without having to pay the ransom. It’s also highly recommended to keep separate backups of mission-critical information.

For smaller businesses that do not have an internal IT department but rather outsource their IT needs to a managed services provider, you must find out what mechanisms your IT company has to protect you from cybersecurity attacks. Not all IT companies are up to speed with cybersecurity, nor are they proactive in monitoring cybersecurity alerts within your network.

The cybersecurity threat landscape is constantly evolving, so it is crucial to stay abreast of this information and be prepared for the worst-case scenario, which may see ransom requests made by cybercriminals.

Scroll to Top