A post on LinkeDin this morning led me to a news piece about an IT professional's attempt to divert/steal his employer's payoffs for a ransomware infection, back in 2018.
According to the article, his attempt ultimately failed, largely due to his inept and naive execution ... but I have not come across this particular insider threat before. It was a new one on me, a man-in-the-middle attack layered on top of the ransomware.
I've read about or been peripherally involved in investigating frauds involving privileged insiders diverting company payments by manipulating payee bank details, setting up fictitious suppliers, submitting fake invoices and generally undermining the usual procurement/financial controls. I've even heard of disaffected workers deliberately infecting company systems with malware for revenge or extortion.
The insider using ransomware payments, presumably to an untraceable cryptocurrency account, as cover for his scam is an interesting wrinkle.
It is conceivable that some companies' complaints about paying ransoms but not regaining access to their data involve similar insider scams. Even if they have the cyber equivalent of 'proof of life' (confirming that the perpetrators can, in fact, decrypt and restore the data), how can they be sure they are dealing with the actual perpetrators of the ransomware attack, and that any payoffs will reach them?
There's a tricky identification, authentication, assurance, trust and integrity issue here involving comms with an anonymous and malicious counterparty.
Naturally, experts advise not paying ransoms and of course it is much better to mitigate the risks than suffer costly incidents. But the controls are fallible. Incidents still occur. Businesses are disrupted. Under intense pressure, people become desperate for stress relief.
Something to bear in mind in your information risk assessments?
PS Press release from one of the investigating team here. When the case came to court (this year, five years after it happened), the perpetrator pleaded guilty.
More info here: https://www.jdsupra.com/legalnews/an-ip-theft-case-with-a-difference-9000891
ReplyDelete