Saw this from Brian Krebs recently and just sort of nodded my head. Because, of course, this would happen:
“Criminal hackers will try almost anything to get inside a profitable enterprise and secure a million-dollar payday from a ransomware infection. Apparently now that includes emailing employees directly and asking them to unleash the malware inside their employer’s network in exchange for a percentage of any ransom amount paid by the victim company.”
Look, it makes sense at any time, but right now with companies varying sets of rules around a pandemic, forcing employees back to an office, mandating a vaccine if they do, closing offices, etc. there is bound to be at least one person who just isn’t very happy with whatever stance the company has taken.
Would the vast majority of them stoop to purposefully installing ransomware on the corporate network? Probably not, but the hacker doesn’t need the majority, they need 1. Just one person is so angry and also unethical, and they are in.
First, don’t be that person. I don’t care how horrible your boss has been, leave, don’t do this. There are plenty of jobs open at all levels, no need for you to stay somewhere you are this unhappy with. In fact, I’ve seen numerous people suggesting that companies who are making efforts to keep their employees safe and support their well-being should start headhunting companies that are doing less than that. I fully support this, by the way.
On the other hand, as an organization, are you 100% sure you can trust everyone who works for you? As I said, it only takes one to be tempted by this. It also only takes 1 employee to simply fall for ransomware without doing it on purpose.
A good backup plan, and a response plan, is necessary. Now. Not next quarter, next month, or next fiscal year. Now. It takes 1 employee almost no time to unleash ransomware on your environment. That plan you’re making next quarter isn’t going to help you tomorrow.