Skip to main content
Cyber News

Cyber crime groups now seek unhappy employees to help plant ransomware

By August 23, 2021June 9th, 2022No Comments

The modus operandi of ransomware attacks is evolving with each passing day, and the latest form of attack involves using disgruntled employees to carry out cyberattacks with the premise of getting a cut from the ransom paid after the attack.

In a recent report by Abnormal Security, they indicated that they had observed a sharp increase in the number of emails sent to their customers asking them to become accomplices in ransomware attacks. That is when they took the initiative to reply to one of the emails to find out the end game of cybercriminals behind this group.

A 40 percent ransomware payment

According to the report, the cybercriminal group behind the insider ransomware attack was identified as DemonWare and goes by aliases of the Black Kingdom and Demon. The group has been around for years and in March, they were caught trying to exploit the Microsoft Exchange Vulnerability in a bid to launch a ransomware attack.

Earlier indications with the group showed that they had promised to pay $1 million in bitcoin, which was 40 percent of what they intended to ask as ransomware. However, the group was also willing to lower their ransomware based on the company size and revenue but still offered 40 percent of the total ransomware that would be paid to the ransomware gang.

Launching an attack

In the latest campaign by the ransomware group, the disgruntled employees who take the offer of the cybercriminals were advised that they could launch the ransomware attack physically or remotely. This information is provided during the initial recruiting email and contains other details such as how much the cybercriminal group is willing to pay people who take up their offer, calming down their anxiety about the attack, and what they stand to gain if they help launch the ransomware attacks.

In the next phase, the group provides an additional outlook email where clients who take on their offer can contact with. They also provide a Telegram account as a secondary means of communication between the employee who takes their offer.

After the Abnormal Security team reached out to the attackers posing as potentially disgruntled employees willing to take up their offer, the group reiterated their plan and also emphasized on what they stood to gain. The cybercriminals behind the email also asked the actors if they had physical access to the Windows server, to which they replied affirmatively.

To launch an attack, the cybercriminals sent two links that had the executable files that they intended the disgruntled employees to download and upload the files physically in the Windows servers to start the attack.

Based on analysis and research done by Abnormal Security, they were able to confirm that the files were actually ransomware and, if installed as instructed, would initiate a ransomware attack that would encrypt all the data in a network.

To calm nervous disgruntled employees who may be afraid of launching the ransomware attack, the cybercriminals assured them that it would be difficult to get caught since they only needed to upload the ransomware to the server. In cases where CCTV cameras are available, they advised their potential prey not to be afraid because the ransomware would encrypt everything in the network, including video footage, that might help people who take their offer.

What does the insider job threat mean for veterinary practices?

Veterinary practices, like any other business model, may have disgruntled employees who would take such an offer. There is also a possibility of blackmailing employees into acting as insiders to launch ransomware attacks.

The modus operandi of the ransomware group behind the Abnormal Security research, however, requires a lot of things to go right in order to launch a successful ransomware attack.

First, the group seems to be targeting senior-level executives who have access. According to the group, they obtained emails of their target lists using the LinkedIn platform, and only targeted people whom they considered would have access to the Windows server or the network. Fortunately, a lot of senior-level management working on veterinary practices would not fall for such cheap schemes.

However, the method the hackers are using is one of the most sophisticated forms of social engineering, and you can’t rule out the possibility of an employee taking the offer out of malice. If that happens, the chances of a successful ransomware attack is almost guaranteed.

Second, the group didn’t seem to be very surveyed with technology based on the advice they gave their potential actors, including deleting files after installing them on the Windows server. They made a huge assumption that everyone they contacted would have physical access to a server and also seemed to not be familiar with digital forensics or incident response investigations that would unearth the employees involved with the attack.

Thirdly, the report showed how easy it is to obtain contacts of your veterinary practice employees. The attackers could still have used other methods of attacks such as phishing scams that would still have been effective and infected a veterinary practice’s networks. Obtaining the email address of the senior-level executives is a further indication of why veterinary practices need to implement a high level of caution when opening emails with links because they might be laced with ransomware that might end up compromising your security.

Going forward, veterinary practices should realize that this form of attack will be used again by another cybercriminal group. Recent cyberattacks have shown us how these ransomware attackers are copying attack methods of other cybercriminals and using them. Therefore, this is just the beginning of the operation that involves recruiting disgruntled employees to launch ransomware attacks.

Is your hospital ready for an attack?

Schedule a free call today to see how Lucca Veterinary Data Security can help you be prepared to defend yourself from a ransomware attack. SCHEDULE NOW