Threat Intelligence

    Hijacked from Within: The Ransomware Insider Threat

    As automated security gets better, cybercriminals are going old school by recruiting your employees to launch ransomware from inside your firewall.   

    by Dr. Matthew Canham

    Key Points

    • Cybercrime groups are attempting to enlist insiders to help deploy ransomware inside their employers’ networks. 
    • A recent attempt to recruit a Tesla employee highlights this trend. 
    • Security departments can counter this risk by taking a more proactive approach to security and educating employees on how to avoid these threats.     

    Last June, a major ransomware operator launched a new version of its ransomware-as-a-service offering with an alarming twist. It had updated the Windows wallpaper placed on encrypted devices to display an offer to “earn millions of dollars” for providing the cybercrime gang with network access or other insider information that would help it “steal the most valuable data of any company.”[1] The novel “help wanted ad” directed would-be participants to reach out through an encrypted messaging service for more details.

    It’s one of the latest public examples of a broader trend in the evolution of ransomware attack vectors over the past few years. As automated security at the perimeter of corporate networks has improved, cybercriminals are looking for easier ways in, including conscripting employees with privileged access to a targeted company’s systems to participate in their ransomware plots. Earlier last year, Egor Igorevich Kriuchkov pleaded guilty to a similar scheme: offering one Tesla employee $1 million to help install ransomware inside the computer network of the company's battery plant in Nevada.[2]

    In the Tesla case, prosecutors noted that the swift response of the targeted company and involvement of law enforcement halted the extortion scheme at its inception and prevented a major exfiltration of the company's data. Walking through the foiled attempt to enlist the Tesla insider in a ransomware plot can prove instructive to other companies on how these solicitations usually proceed and the value of up-to-date cybersecurity awareness training in educating employees to spot these schemes and protect against them.

    Recruiting for the Enemy: A Tale as Old as Time

    When soliciting employees to provide network access, ransomware operators rely on tactics similar to those that intelligence agencies have used for centuries to enlist spies and double agents. This process, also called the asset recruitment cycle, typically involves four phases:[3]

    • Identifying a potential asset.
    • Assessing their suitability as a co-opted agent (e.g., access, motivations).
    • Developing the asset to be operationally capable.
    • Handling the asset for the duration of the operation.

    Identification Phase

    The Kriuchkov case provides a solid example of how each of these phases played out in the context of deploying ransomware. To breach Tesla, Kriuchkov first needed to find an employee with access to the battery plant’s network. Cybercriminals typically rely heavily on open-source intelligence (OSINT), scouring professional social media platforms like LinkedIn, to pinpoint insiders with potential access, motivation, and ability to carry out the actions that the ransomware gang requires. At Tesla, Kriuchkov targeted an employee he met through a mutual acquaintance.[4]

    Assessment Phase

    After identifying the potential recruit, Kriuchkov moved on to the assessment phase, traveling to Reno to meet his insider acquaintance in person. The objective at this stage is typically to validate the individual’s access, ability, and willingness to provide the information required to deploy the ransomware.

    This stage usually relies heavily on OSINT to look for potential motivators to commit the crime. The acronym MICE (money, ideology, ego, and compromise) describes a common spectrum of motivations for people to become insider threats. It is also critical for the criminal to know whether the person is technically capable of committing the crime. With ransomware, this can be as easy as plugging in a USB drive. With such a low threshold, the criminal will need to assess the potential recruit’s ability to follow instructions.

    In this case, Kriuchkov conducted this assessment in person, but assessments are often carried out online. Kriuchkov went out for drinks with the Tesla employee several times over the course of a few weeks, covertly evaluating the individual’s suitability as co-conspirator. Usually, if the prospect appears to be a good candidate, this phase culminates with “the pitch”: the cybercriminal reveals his true aims. Once Kriuchkov was satisfied that the Tesla employee suited his purposes, he invited him to participate in a “special project” for which he would be paid $500,000. 

    Development Phase

    If the recruit accepts the pitch, the relationship then moves into the development phase. The objective at this point is to develop the recruit into someone who is operationally capable of deploying malware onto internal systems.

    This phase also relies heavily on the development of tradecraft such as using a prepaid cellphone and arranging a communications plan. In this case, Kriuchkov gave the employee a prepaid cellphone, instructed him to use the encrypted Tor browser, set up a bitcoin wallet, and instructed him to put the phone in airplane mode until he received a prearranged signal. Old school tradecraft often relied on prearranged signals such as a chalk mark at pre-determined location. In Kriuchkov’s case, he indicated that he would send a seemingly benign signal on WhatsApp to indicate that the employee should check his prepaid phone.

    Kriuchkov also briefed the employee on the cybercriminals’ operational plan: to load malware onto the Tesla plant’s systems and launch a concurrent distributed denial of service (DDoS) attack to divert attention.

    Handling Phase

    The objective of the final phase — handling — is to set and manage expectations and overcome any potential resistance. This is often the most challenging phase of the engagement since the interests of the cybercriminal and the recruit are rarely in perfect alignment. In this case, the Tesla employee noted that he was taking the bigger risk and demanded his payout be doubled to $1 million. The ransomware gang eventually agreed. 

    Help Employees Help You Keep Your Company Secure 

    Fortunately for Tesla — and unfortunately for Kriuchkov — the employee had been cooperating with the FBI. In this case, Tesla was fortunate that the employee felt comfortable enough to go to his security office and report the contact. Kriuchkov was arrested shortly after his gang agreed to up the payment to the insider. However, any organization with an online presence is a potential target for insider-assisted ransomware with cybercriminals actively assessing and attempting to recruit their employees as would-be accomplices. 

    The Tesla example illustrates the unique vulnerabilities that exist at each phase of the asset recruitment cycle and the opportunities for systems defenders to disrupt the process. The sooner that a targeted company becomes aware of these attempts, the better. To that end, there are actions companies can take to educate their employees about this threat and encourage them to report suspicious activity or solicitation attempts.

    Unlike Kriuchkov, who knew his target, cybercriminals often approach employees using the pretext of recruiting them for a new job (rather than recruiting them to abet a crime). Posing as a headhunter eager to steal the employee away has the added benefit of discouraging them from reporting the communications to HR or IT. It is crucial that companies make employees aware of such scams, integrating these tactics into their cybersecurity awareness training programs. Companies can also offer employees a “safe space” for reporting these contacts without fear of reprisal. 

    The Bottom Line 

    Taking a proactive approach is imperative to prevent employees from being enlisted to participate in ransomware attacks. Cybersecurity teams can make it a point to talk to employees about the increase in ransomware gangs soliciting insiders for help. Cybersecurity leaders can also consider consulting with their legal department about the possibility of creating social media “honey pots”: fake profiles that appear to be legitimate employees of their company created to attract and catch cybercriminal gangs in the act. Read how solutions such as Mimecast’s Internal Email Protect and information security awareness training can also help prevent malicious insider actions from spreading.   



    [1]LockBit Ransomware Wants to Hire Your Employees,” Cybereason Blog

    [2]Russian pleads guilty to Tesla ransomware plot,”

    [3]How Do You Spy When the World Is Shut Down,” Lawfare Blog

    [4] “United States District Court, District of Nevada, United States of America, Plaintiff, v. Egor Igorevich Kriuchkov,” U.S. Department of Justice

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top