Insider threat could use ransomware-as-a-service to profit from victims

Researchers now think that Ransomware-as-a-Service can be exploited particularly effectively by those with insider knowledge of an organisation

Irreparable damage could be caused to organisations, warn researchers
Irreparable damage could be caused to organisations, warn researchers

Security researchers have warned that criminals with insider knowledge of an organisation's infrastructure could use ransomware-as-a-service (RaaS) to extort money from victim organisations.

RaaS comprises an ‘affiliate' distribution model where the ransomware developer provide customised, on-demand versions of malware to distributors. The ransomware author collects the ransom and shares it with the distributor. The author gets a small cut of funds while the rest goes to the distributor.

In a blog post, researchers from Imperva said that malicious insiders can exploit their inside information on the organisation's unstructured data and their knowledge of where sensitive data is located, as well as their permissions, to encrypt the most valuable data. 

“Moreover, they know what the value of the data to the organisation is and can assume how much the organisation will agree to pay for the data decryption,” said Itsik Mantin and Deepak Patel, both of Imperva.

“Moreover, they know what the value of the data to the organisation is and can assume how much the organisation will agree to pay for the data decryption. We are aware that the main motivation for malicious insiders is financial, and using RaaS on the organization is simple, safe, and profitable.”

The researchers added that future RaaS customisable parameters might be more specific and include business- related information such as what are the valuable network shares of interest or even relevant credentials. “It is conceivable that a malicious insider could use RaaS to extort his organization and cause irreparable damage,” they said.

Andy Thomas, managing director of Europe at CSID, told SCMagazineUK.com that insider threats are virtually impossible to ‘eradicate'.

“Companies can put in place monitoring and logging to identify when individuals access data and how, but there will always be individuals who are willing to compromise their morals for profit. However, companies can implement various policies to attempt to mitigate any illegal access, and certainly remove any doubt of the repercussions of malicious or untoward activities.”

“An explanation of the consequences of unlawful or unapproved data access, as well as policies which are actively monitored ad enforced, is really the only way in which companies can proceed,” he added.

Adrian Crawley, Radware regional director for Northern EMEA, told SC that in order to deal with a potential insider ransomware threat, organisations should put together a cyber-security emergency response plan that includes an emergency response team and process in place. They should also identify areas where help is needed from a third party.

He added that organisations should also monitor security alerts and examine triggers carefully and “tune existing policies and protections to prevent false positives and allow identification of real threats if and when they occur”.