After my recent blog on risk starting from the inside, I discussed the ransomware topic with a colleague, and he brought up a fascinating point. Imagine, if you will, a member of the organization who discovers both the opportunity to perform or allow for a ransomware attack to occur at the organization, as well as finds an excellent motive to do so.
So let’s talk about motives for a moment. That is where things get interesting. There are lots of motives when it comes to ransomware. The first one, of course, is that it seems to be a fairly easy way for bad actors to make enormous amounts of money.
According to this article, the average payout in 2021 was $570,000 USD. The same article cites that the average cost of recovery is 1.85 million dollars! The CNA Financial ransomware attack cost the company $40 million in the payout. Ouch! Sadly, when it comes to ransomware, crime has been paying handsomely.
However, we have to consider something potentially much bigger, from a threat perspective, when it comes to ransomware. One of the biggest tech sector trends in 2022 and 2023 is large layoffs in technology firms. When the stock market goes down, so do the jobs. Sadly, as many of us in the world of cybersecurity know, the security budget is often on the list of cost-cutting measures. Of course, this leads to many disgruntled cybersecurity workers with intimate knowledge of the organizational dirty laundry.
There could be vulnerability information the employee discovered and reported to the executives, which is sometimes ignored. Sometimes the legal team requests information to be kept confidential. Sometimes they ask for all such operations to cease (I have seen this happen). To some, it seems that no news is good news. When laid off, that information leaves the organization with them.
The disgruntled tech worker may also be lurking within and feel “morally” justified to do whatever he or she feels is necessary to teach the organization a lesson. Sometimes they just want a big payout, and the decisions being made make this very viable and an opportunity to show the organization the errors of their ways. Sadly, it is an opportunity for the perfect crime.
Now, there are a lot of different ways this could play out. One way is to just grab the bull by the horns, mastermind the attack, figure out how to make it happen, and then take the payout. The classic “sticking it to the man” scenario.
However, another perhaps more insidious and potentially more clever method is to team up with someone more skilled at ransomware attacks and provide the ransomware attacker with a detailed roadmap on how to make it all happen. Perhaps the insider or recently terminated tech worker takes a cut of the proceeds, or perhaps he or she chooses not to, to remove themselves from the money trail, and simply relish the organization's anguish. Karma at its finest!
There is also potentially a third way, where a ransomware attack is invited by an insider to cover the tracks of more traditional types of crime. This makes me wonder if it has already occurred, where money has been embezzled, and the attack conveniently erases the tracks left behind. In this case, the ransom request is just a ploy, and there is no actual intention to decrypt the files. It’s easy enough to make it plausible, as it happens regularly that ransomware attacks are performed with poor software that, in practice, is just one-way encryption.
Anyway, you see my point by now, I imagine. An organization that fails to identify and remedy cybersecurity issues is at risk for much more than the mean and nasty outside world.
Something to think about.