[BreachExchange] Insider threat could use ransomware-as-a-service to profit from victims

[Audrey McNeil]

http://www.scmagazineuk.com/insider-threat-could-use-ransomware-as-a-service-to-profit-from-victims/article/492764/

Security researchers have warned that criminals with insider knowledge of
an organisation's infrastructure could use ransomware
<http://www.scmagazineuk.com/search/ransomware/>-as-a-service (RaaS) to
extort money from victim organisations.

RaaS comprises an ‘affiliate' distribution model where the ransomware
developer provide customised, on-demand versions of malware to
distributors. The ransomware author collects the ransom and shares it with
the distributor. The author gets a small cut of funds while the rest goes
to the distributor.

In a blog post, researchers from Imperva said that malicious insiders can
exploit their inside information on the organisation's unstructured data
and their knowledge of where sensitive data is located, as well as their
permissions, to encrypt the most valuable data.

“Moreover, they know what the value of the data to the organisation is and
can assume how much the organisation will agree to pay for the data
decryption,” said Itsik Mantin and Deepak Patel, both of Imperva.

“Moreover, they know what the value of the data to the organisation is and
can assume how much the organisation will agree to pay for the data
decryption. We are aware that the main motivation for malicious insiders is
financial, and using RaaS on the organization is simple, safe, and
profitable.”

The researchers added that future RaaS customisable parameters might be
more specific and include business- related information such as what are
the valuable network shares of interest or even relevant credentials. “It
is conceivable that a malicious insider could use RaaS to extort his
organization and cause irreparable damage,” they said.

Andy Thomas, managing director of Europe at CSID, told SCMagazineUK.com
that insider threats are virtually impossible to ‘eradicate'.

“Companies can put in place monitoring and logging to identify when
individuals access data and how, but there will always be individuals who
are willing to compromise their morals for profit. However, companies can
implement various policies to attempt to mitigate any illegal access, and
certainly remove any doubt of the repercussions of malicious or untoward
activities.”

“An explanation of the consequences of unlawful or unapproved data access,
as well as policies which are actively monitored ad enforced, is really the
only way in which companies can proceed,” he added.

Adrian Crawley, Radware regional director for Northern EMEA, told SC that
in order to deal with a potential insider ransomware threat, organisations
should put together a cyber-security emergency response plan that includes
an emergency response team and process in place. They should also identify
areas where help is needed from a third party.
He added that organisations should also monitor security alerts and examine
triggers carefully and “tune existing policies and protections to prevent
false positives and allow identification of real threats if and when they
occur”.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160428/a52eb29f/attachment.html>