In a concerning development for cybersecurity, everyday employees are being targeted by malicious actors, encouraging them to participate in ransomware operations against their own employers. Recent insights from GroupSense, a cybersecurity firm, reveal that malware operators are not only delivering ransomware notices but are also attempting to recruit victims to expand the scope of their attacks.
The typical ransomware notification, still prevalent in these attacks, has evolved to include a persuasive pitch for users to engage further with the malware. Victims of a ransomware variant known as DoNex are now seeing pop-up messages that propose they facilitate the infection of additional machines within their companies. The recruitment message states, “Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.” Such invitations are alarming, as they exploit both the urgency of the ransomware demand and the potential for insider complicity.
These notifications often solicit sensitive access credentials to critical systems, like RDP or corporate email, suggesting that users execute a provided virus on their workstations. Kurtis Minder, CEO of GroupSense, indicated that while enticing employees to take part in these schemes is a new development, the act of trying to recruit insiders is a significant escalation by cybercriminals.
Additionally, there appears to be a troubling misrepresentation by the attackers regarding their affiliations. The ransomware notices claim association with the notorious LockBit group, a prominent figure in the cybercrime landscape. However, DoNex is lesser-known, leading to speculation that these criminals may be employing what could be likened to “stolen valor” to lend credibility to their operations and entice victims.
While the allure of financial gain might appeal to some, cybersecurity experts strongly advise that any indications of a ransomware infection be reported to management immediately. The prospect of participating in corporate espionage under the pretense of sharing in a monetary payoff can be dangerously misleading. Ransomware operators are inherently duplicitous, and promises of significant returns are often deceptive.
In light of this situation, understanding the tactics and techniques employed by these adversaries from the MITRE ATT&CK framework is critical. Potential strategies that could be relevant include initial access through phishing or exploitation of vulnerabilities, followed by techniques aimed at persistence and privilege escalation within the corporate network.
As the threat landscape continues to evolve, business owners must remain vigilant against these increasingly sophisticated approaches designed to exploit their own employees. The necessity for robust cybersecurity training and protocols is paramount to mitigate risks associated with insider involvement in cyberattacks. Protecting sensitive data and maintaining a safe operational environment requires an informed workforce aware of the deceptive tactics utilized by cybercriminals.
