Ransomware, the danger lives next door

Of those who were approached for help with ransomware attacks, 49% reported the incident to federal agents and only 18% made both internal and external reports.

Most of the time, contact from recruiters was made by email (59%). Other means used were telephone (27%) and social media (21%).

Many of the companies surveyed consider themselves prepared to defend against ransomware attacks, relying solely on network perimeter defense – the majority of decision-makers (45%) say they primarily use this type of cybersecurity technique, with 6% using perimeter defense exclusively. And that’s exactly where the weak link in the cybersecurity resource chain may lie, as it only targets malicious actors from the outside rather than any internal professionals recruited by ransomware gangs who may operate at the perimeters of the organization.

Overall, 57% of respondents reported that they were offered cash or bitcoins worth less than $500,000.

Finally, of the 65% of companies whose members were approached to help with ransomware attacks, 49% ended up being victims of this type of cybercrime. Most, according to the study, consulted external advisors before acting and were advised not to pay the ransom; 26% paid the ransom, 29% did not pay the ransom and 32% chose not to comment.

Unsuspecting employees

Not only malicious employees recruited by cybercrime can be internal enablers of ransomware attacks, but also the unwary.

Of the total incidents that applied the “self-install technique”, 71% used compressed files with JavaScript, 7% used compressed executables and 4% included Excel macros.

The other two attack vectors were the exploitation of software vulnerabilities within perimeters (4% of all ransomware incidents) and third-party access abuse (3%, for example, via attacks on the software supply chain or use of compromised privileged credentials). In the first situation, attackers targeted servers running Windows operating systems and exploited a vulnerable version of WordPress, a popular content management system. In the second case, the privileged credential access was remote using Microsoft’s Remote Desktop Protocol (RDP) or a Citrix gateway.

The top malware families that were attributed to ransomware operations identified by Expel were the Gootkit loader (44% of incidents), the SocGholish framework (15%), and the Beacon agent of the Cobalt Strike tool (3%).