Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
From legitimate access to chaos: the new face of ransomware driven by insiders
Not long ago, we handled yet another ransomware case—one of the hundreds that occur daily and among the many we respond to each month. However, this case was particularly unusual: when gathering evidence, we discovered that the attacker had been inside the network for just two days, and all the actions had been executed from an administrative account via VPN. They seemed to know the infrastructure and services inside out. And indeed, they did—because the compromised account belonged to one of the IT department leaders, who was also the person who contacted us to activate the incident response protocol.
This kind of scenario has become increasingly common in recent months, revealing a growing trend in organization threats: insiders are becoming one of the preferred tools for cybercriminal groups to achieve their financial goals.
The link between insiders and ransomware is becoming more evident. Statistics show that in 2024, 47% of ransomware incidents originated from legitimate credentials already in the attackers’ possession.
These credentials are often obtained through recruiting campaigns targeting employees to facilitate access to corporate networks from the inside.
■ Pulse documented such a tactic in 2022, when they interviewed 100 IT directors. The study revealed that 57% of employees had been approached by criminal groups to grant access to corporate networks, and several of these attempts ultimately led to ransomware attacks.
Why is it so dangerous?
Unlike traditional ransomware attacks—which are noisy and typically trigger automatic alerts—insider-driven attacks can be completely silent. They may lie dormant for months, even years, without being detected by monitoring tools and without the need to deploy malware directly.
It’s key to understand that there are three types of insiders, each with specific characteristics. And while not all are disloyal employees or contractors, their activity often goes unnoticed because it doesn’t raise immediate red flags:
- Compromised insiders: users whose credentials have been stolen due to risky behaviors, such as using insecure networks or accessing malicious websites. These accounts are used to steal sensitive data or conduct network reconnaissance. Since the credentials are legitimate, these actions often pass undetected.
- Negligent insiders: users who, out of ignorance or carelessness, perform actions that compromise an organization's security. For instance, clicking on a malicious link that triggers fileless malware that only runs in the computer’s RAM and evades most traditional security controls.
- Malicious insiders: the most dangerous and technically skilled of all. These are individuals who intentionally download malware or collaborate with attackers by granting them access to the network.
Insiders pose one of the biggest threats when it comes to information leaks and ransomware attacks.
What tools do they use?
One of the reasons these attackers can remain undetected for so long—or even exit without leaving a trace—is because they use the same software already present in the organization. This technique, known as "Living off the Land", involves leveraging legitimate operating systems or IT administration tools to carry out malicious activities without raising suspicion.
For this reason, traditional defense and monitoring tools alone are no longer sufficient. A more robust strategy is required, including:
- User Behavior Analytics (UBA/UEBA).
- Identity-based controls.
- Continuous review of authentication logs.
- Monitoring of data exfiltration techniques.
- Integration with threat intelligence.
- And other tools focused on detecting behavioral anomalies.
Conclusion
In short, the threat posed by insiders—whether malicious, negligent, or compromised—is exceptionally dangerous due to the inherent trust placed in individuals with legitimate access. Their knowledge of internal systems and the challenge of distinguishing their actions from normal usage make detection extremely difficult.
This type of attack allows for stealthy operations with the potential to cause severe damage, both direct and indirect. For this reason, it stands as one of the greatest threats in today’s landscape of data breaches and ransomware attacks.
Organizations must recognize this reality and treat insider threats as a top priority. Network monitoring solutions are key tools for detecting anomalous behavior that may indicate the presence of an insider or a compromised device. Likewise, enforcing the principle of least privilege, implementing robust password management policies, and ensuring continuous Cyber Security training for all employees are essential steps to mitigate risk.
