Ransomware gangs are recruiting breached individuals to persuade companies to pay up

Ransomware gangs are recruiting breached individuals to persuade companies to pay up

You’ve heard about ransomware, where attackers lock up your files and demand a payment for the decryption key. You may also have heard about ransomware attackers not only locking up your files, but also threatening to release the stolen data in an attempt to get you to pay up.

What you may not have heard about is a relatively new tactic that ransomware attackers are using. Recent reports say attackers are using the stolen data to contact individuals (by social media, email or phone) that have been compromised in the attack.

Ransomware groups are using these direct contact tactics as extra leverage for victims to pay up. They contact staff or customers whose data was exfiltrated in the attack and get them to persuade the victim to pay up, threatening with the release of their personal information if they don’t.

Earlier this week, NBC news published a story about a parent of a child who attended a school overseen by a district that was the victim of a ransomware attack. The attackers emailed the parent and asked him to put pressure on the district to pay up or all the exfiltrated files, including information on him and his son, would be released on the dark web.

Allen School District

Ransomware attackers are always looking for low-hanging fruit. And schools have always been easy targets for ransomware, because of their limited budgets, especially for security. All of which was made worse by the demand for distance learning created by the Coronavirus pandemic.

In September 2021, Allen ISD was hit with a cyberattack, and later the subject of an attempted extortion by the culprits. Allen ISD serves nearly 22,000 K-12 students about 30 miles north of Dallas, Texas.

After consulting external cybersecurity experts, the school officials decide to refuse to pay the hackers’ demands, and even told local media there was no evidence that data had been exfiltrated. That’s despite the fact that the ransomware group said it had obtained personal information from district students, families and staff and attempted to extort Allen ISD out of millions of dollars.

Often, cybercriminals will follow the media coverage about how the incident is being portrayed and if they feel like the victim is not truthful, or misrepresents the situation, they have been known to escalate.

Personal contact

According to the person interviewed by NBC, the district did not tell parents or many staff that they had fallen victim to an attack, at least not before the contact was made by the attackers themselves.

The attackers use whatever contact information they can find, such as employee directories or customer databases, to identify individuals they can pressure. Learning about such an incident from the mouth of the attacker can be extra scary for those that had no clue whatsoever.

Enlist insiders

Another tactic that ransomware attackers use is to contact workers at a company in the reconnaissance stages of an attack to see if they can skip the infiltration stages by using an insider threat.

A new poll from identity protection company Hitachi ID Systems found that 65% of surveyed IT and security executives or their employees have been approached to assist in ransomware cyberattacks. This represents a 17% increase from a similar survey that was done a year earlier. In most cases, the attackers used email and social media to contact employees, but 27% of their approach efforts were conducted via phone calls, a direct and brazen means of contact.

Many ransomware gangs operate as a Ransomware-as-a-Service, which consists of a core group of developers, who maintain the ransomware and payment sites, and recruited affiliates who breach victims’ networks and encrypt devices. Using an insider threat, the developers can save splitting the money with the affiliates, or an affiliate can hand over an accomplished breach without having to use any complicated tools or skip the part of going through failed attempts with the chance of getting detected.

A prime example of this is LockBit which has been known to change the Windows wallpaper placed on encrypted devices to offer “millions of dollars” for corporate insiders who provide access to other networks where they have an account.

Insider risk mitigation

For those that are worried by the thought of possible insider threats, the Cybersecurity & Infrastructure Security Agency (CISA) has created an insider risk self-assessment tool, with which owners and operators or organizations, especially small and mid-sized ones who may not have in-house security departments, can gauge their vulnerability to an insider threat incident.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.