5 Steps to Prevent Ransomware Attacks Caused by Insiders


If you asked any cyber security professional to name the hottest and most widely discussed topic in the industry right now, they would probably say ransomware. Since the appearance of CryptoLocker in 2013, ransomware has proved extremely effective and lucrative for perpetrators, spreading like wildfire and earning them millions of dollars.

This has led to the explosion of ransomware that we’ve seen over the past several years, during which time new strains have seemingly appeared daily. The number of ransomware attacks continues to grow year after year.


And while initially ransomware was extremely hard to deal with, the cyber security industry has now caught up and devised tools and best practices aimed at ransomware attack mitigation.


However, the truth is that effective protection from ransomware is a layered and continuous process. Traditional anti-ransomware measures include regularly backing up data, making sure that all your software is up-to-date, and protecting your system with anti-malware solutions. Such solutions can protect you from known ransomware strains while updates keep less sophisticated ransomware that relies on known exploits at bay and backups allow you to restore data in case of a successful attack. But despite all that, new strains still appear almost daily, and perpetrators constantly find new ways to obfuscate code and avoid detection. Creating custom ransomware to specifically target certain companies or demographics and employing advanced encryption algorithms allow perpetrators to constantly stay a step ahead of the security professionals.


This is why you need to be able not only to deal with the effects of ransomware but also to detect it as it enters your corporate infrastructure, catch it early, and prevent it from spreading and doing damage. One factor that you need to carefully consider is the role of your own employees and third-party partners in infecting your own system with ransomware.


Insiders serve as a gateway for ransomware to get into your corporate infrastructure. Most of the time they let ransomware in inadvertently, but malicious infections can also happen. In this article, we’ll cover how to prevent ransomware attacks caused by insiders and how you can better control your own insiders in order to strengthen your ransomware protection.


The origin of ransomware


What is a ransomware attack? Usually, ransomware refers to malicious software that employs cryptography in order to encrypt a user’s files and demand ransom in order to decrypt them.


The idea of using cryptography to block access to data for the purposes of demanding a ransom isn’t new. The first ransomware, called AIDS, was developed all the way back in 1989 by biologist Dr. Joseph Popp. It was spread via infected floppy drives and, upon entering a system, counted the number of times the system was booted. Once the counter reached 90, AIDS encrypted all file names within the system while hiding the original files and displayed a message demanding a ransom. Users were asked to mail $189 to a post office box in Panama, addressed to a PC Cyborg Corporation.


Of course, this early example of ransomware had a number of severe flaws. User data wasn’t actually encrypted, meaning that users could easily restore all their files without needing to pay. Also, the distribution and payment methods used weren’t completely anonymous.


Eventually, Joseph Popp was caught and arrested when the police traced the mailing list that was used to initially mail infected floppy disks.


Over the course of the 1990s and early 2000s, the world saw relatively few examples of ransomware attacks. Insufficient encryption algorithms and difficulties establishing payment methods that couldn’t be easily traced were major roadblocks that limited the effectiveness of ransomware.


However, everything changed with the advent of cryptocurrency. First appearing in 2009 in the form of Bitcoin, cryptocurrencies eventually started gaining popularity and becoming accepted as a viable payment method. They provide features such as anonymity and ease of transactions that have proved a great boon not only to legitimate users but also to criminals and hackers.


A new type of ransomware, called CryptoLocker, first appeared in September 2013 and successfully attacked PCs until the middle of 2014 when it was isolated and the Gameover ZeuS botnet, which was used to distribute it, was taken down by law enforcement, who were also able to obtain the database of private keys.


CryptoLocker targeted PCs running the Windows operating system and used RSA public-key cryptography to encrypt user data on both local and network drives. Its advanced encryption proved basically impossible to defeat, and over the course of its operations, CryptoLocker made at least $3 million for its creators (according to the most conservative estimates). Using cryptocurrency for payments allowed perpetrators to stay anonymous while receiving ransoms – a key component to the viability of this type of malware.


Since its undoubted success, CryptoLocker has inspired many clones as well as many other ransomware programs that have taken completely different technical approaches to encryption, distribution, and concealment. Since the advent of CryptoLocker, ransomware has been constantly evolving, with many strains proving extremely successful.


The danger of ransomware


Nowadays, the number and severity of ransomware attacks continues to grow. According to Deloitte, from 2015 to 2016 the number of ransomware attacks increased by 300%, from 1,000 attacks per day to more than 4,000 attacks per day.


In 2017, we saw two of the biggest ransomware attacks to date, both involving the EternalBlue Windows exploit: the so-called WannaCry ransomware, which took down the British National Health Services, and NotPetya, which mainly targeted Ukrainian companies. Both of these strains were extremely successful (producing more than a 20% spike in the number of ransomware infections worldwide according to Symantec) despite the fact that Microsoft had released a patch for the EternalBlue exploit before either attack took place.


The average amount of ransom demanded by ransomware grew steadily up to 2016, but according to Symantec, it stabilized in 2017 in the ballpark of $500. This figure reflects the fact that the main target demographic is rich Western countries, among whom the US is the primary target. While on average 34% of victims worldwide will pay a ransom, victims in the US tend to pay more frequently – in 64% of cases.


Another reason for such a figure is the continuous targeting of companies rather than individuals. Ever since CryptoLocker, ransomware has slowly been shifting away from targeting personal PCs and rather focusing more on corporate networks, mostly small businesses in the public sector, healthcare, education, and finance. During the first half of 2017, companies accounted for 42% of all ransomware infections. This is a striking rise compared to 2016 (when companies accounted for 30% of infections) and 2015 (when companies accounted for 29% of infections).


This latest shift in focus is the main reason why companies nowadays should put even more consideration toward protecting against ransomware attacks. While not all of these attacks are sophisticated and many can be countered with traditional measures, the sheer frequency of such attacks is reason enough to ensure reliable protection.


Types of ransomware


There are many ransomware families out there, each employing a different approach to delivery, encryption, and extraction of the ransom. Usually, successful ransomware inspires numerous clones that try to up the game by adding better obfuscation and more sophisticated encryption algorithms. However, not all ransomware is focused entirely on encryption. In fact, we can point to several distinct types based on the way they extract ransom from their victims.


Scareware is ransomware that’s designed to scare users into paying ransom by displaying threatening messages. Perpetrators often employ social engineering in order to gather and include certain personal data such as user names and information about ISPs and locations within messages to make them more convincing. A typical scareware message claims that the user is under investigation by law enforcement for viewing copyrighted materials or child pornography and demands payment of a “fine” in order to avoid further criminal charges.


Locker ransomware is very similar to scareware. This type of ransomware blocks a user’s access to certain applications or system functions. Locker ransomware most often targets web browsers, blocking access to certain websites or making the web browser completely unusable. But certain strains can block access to the whole system, usually by replacing the regular authentication screen with a ransom note.


Crypto ransomware is the type of ransomware that we had been discussing up to this point, and it’s probably the most famous and widespread variety. It uses cryptography in order to encrypt user data, thus blocking access to it. Users are then prompted to pay a ransom in order to receive decryption keys. There are many types of crypto ransomware with various levels of sophistication. Some target only certain files and use relatively simple encryption techniques that can be cracked, while others use sophisticated asymmetric encryption algorithms and target system data, making it impossible to crack their encryption or restore deleted files.


Fake crypto ransomware is a type of ransomware that acts like crypto ransomware on the surface but instead of encrypting user files often simply deletes them. Alternatively, fake crypto ransomware can actually encrypt user data but not provide decryption keys even when the ransom is paid. This means that the user data is lost the moment the ransom note is displayed. Without detailed analysis, it’s often impossible to tell whether ransomware is fake or real. This is why it’s not a good idea to pay a ransom, and you should do it only as a last resort. At the same time, certain types or regular crypto ransomware offer the ability to remove encryption from some files for free in order to prove that the files are truly recoverable.


How ransomware works


While different types of ransomware use different methods to extract ransoms from users, they all operate on a similar scheme. It’s important to note the main stages of a ransomware attack in order to be able to effectively counter one:


  1. Distribution – There are many ways in which ransomware can be delivered to a target system. Sometimes a man-in-the-middle attack that hijacks legitimate network services is used, and sometimes even a physical storage device with infected files. But more often than not, a regular spam email is enough to deliver the malware. In most cases, a user is directly involved in the delivery, often inadvertently, by clicking on an infected link or an attachment.

  3. Communication – Usually, only a small part of malicious code gets delivered via the initial distribution channel. The purpose of this code is to initiate communication with the network and download the main payload. While malicious code is often heavily obfuscated, perpetrators rarely bother to encrypt network traffic. In order to avoid traffic filters, they often use tricks such as automatically generated domain names.

  5. Infection – Once the payload has been downloaded, ransomware infects the system. At this point, certain targeting mechanisms can come into play in order to make sure that an infected system is a viable target and that the malware isn’t being studied or analyzed. This may involve anything from a simple language check to full environment mapping.

  7. File Search and encryption – Once a system has been infected, malware usually searches for certain types of files that it then starts to encrypt. Targeted files usually include documents and images as well as certain specialized file formats used by professional software. Encryption algorithms and techniques can vary, but more often than not public-key encryption is used that’s virtually impossible to crack.

  9. Ransom demand – The final step of any ransomware attack is displaying a message with a demand for ransom. Payment is usually demanded in Bitcoin or another cryptocurrency. Sending an SMS or calling a premium-priced number is also sometimes used as a form of payment. Many strains also use time-based payment deadlines in order to create a sense of urgency. If the ransom isn’t paid by the initial deadline, the amount demanded will grow.


How ransomware spreads


Among the five stages of an attack mentioned above, the initial one, the delivery stage, is probably the most important, since at this stage you have the greatest opportunity to prevent the attack before any damage has been done. Let’s take a closer look at how ransomware is usually delivered.


Spam. Since its advent, spam has proven to be an extremely effective tool for delivering malware. While some of the spam emails you receive are technically harmless, albeit annoying, many of them come with malicious attachments that infect the system with malware upon download. JavaScript files are used most frequently for this purpose.


Perpetrators often try to make the email look as legitimate as possible in order to trick users into clicking on a link or downloading an attachment. Attachments themselves use different file formats in order to hide their malicious nature. The most frequently used file formats include .doc, .docx, .zip, .rar, .7zip, .lnk, .hta, .svg, .jar, .js, and .gz. Sometimes, when attempting a more targeted attack, perpetrators will use file extensions employed by professional software that’s used inside the targeted organization.


Malvertising. Infected websites are another popular ransomware distribution channel. Ransomware is often delivered via compromised ad networks. Malvertising often redirects users to another page that delivers exploit kits used to scan the system and try to find backdoors and vulnerabilities. Social engineering techniques are employed in order to make users initially click on the infected ad.


Beyond infected advertisements, infected websites are also used, frequently mimicking legitimate resources. Such websites use JavaScript that runs automatically and uses browser vulnerabilities to get into the system.


Exploits and vulnerabilities. Perpetrators often use known exploits and vulnerabilities in order to deliver malware. RDP attacks (looking for open RDP ports) and man-in-the-middle attacks (to hijack communication with a trusted server and deliver malware under the guise of a message or update) are often used to get ransomware into systems.


Targeting. Perpetrators often use targeting techniques to deliver malware to a specific company or demographic. As part of targeted attacks, perpetrators can study corporate networks for vulnerabilities, gather data about employees for social engineering purposes, and steal credentials in order to gain access to systems.


Apart from targeted attacks that are aimed at certain companies and specifically explore vulnerabilities in their infrastructure, perpetrators often check things like language and location settings to make sure that even broad attacks are hitting the correct targets.


One example of targeting is compromising specific websites and services used in certain fields (for example, NotPetya was delivered inside an infected update for accounting software), infecting systems whenever these services are used. Another way to target a specific demographic is to make sure that ransomware encrypts certain obscure file formats that are extensively used by this demographic.


For example, in 2016, PowerWare ransomware encrypted files used by US tax filing software, thus specifically attacking US taxpayers. The original TeslaCrypt targeted online gamers by searching for and encrypting files specific to popular online games. Specific information like this can be extremely valuable to users, and thus may prompt them to more readily accept ransom demands.


The role of insiders in ransomware infections


Getting malware onto a system often requires certain actions on the part of the user. Users themselves are a crucial element in delivery, as they need to either be tricked into infecting or willingly infect the system.


This means that your own employees are more often than not the source of ransomware infections. Let’s take a look at what may prompt your own employees to infect their systems with ransomware.


Malicious insiders. When talking about the danger of insider attacks, malicious insiders are the first group of people that comes to mind. Malicious insider attacks aren’t that frequent, however they’re often the most damaging. Since insiders are generally trusted and have legitimate access to corporate infrastructure and sensitive data, it’s easy for them to infect the system and cover their tracks.


There are many reasons for malicious behavior by employees, but we can pinpoint four of the most frequent types of attackers:


  • Opportune attackers are employees who aren’t very loyal to the company. If they see an opportunity to make quick gains by stealing certain types of data or infecting a system with malware, they may take it. Such attackers are usually simple to deal with since they can be easily deterred by action monitoring, placing an emphasis on cooperation, and dividing their tasks with others. Thorough background checks can also help to filter out applicants prone to opportune attacks.
  • Emotional attackers are employees who usually perform malicious acts against their company as revenge for perceived wrongdoing. When an employee receives a termination notice or is refused a raise, there’s always a chance that they’ll use their position to get back at the company by stealing data or infecting a system with malware. One way to detect such malicious attacks early is to make sure that actions of potentially disgruntled employees are monitored and their access to sensitive data is appropriately controlled (for example, accounts of terminated employees should be disabled in a timely manner).
  • Cold intellectual attackers plan their actions beforehand. Attackers in this category include employees engaged in corporate espionage or who are trying to exploit their position in the company in order to make profit over time, such as by engaging in fraud or insider trading. Such employees are often aware of existing cyber security measures and how to avoid them, making it hard to deter these attackers or detect their activity.
  • Terrorists are the last subset of malicious insiders. These are people hell-bent on delivering a message or doing as much harm as possible instead of actually profiting from their actions. Insiders like this are usually driven by a certain ideology and thus are extremely hard to deter. They’re prone to using malicious software that deletes or alters sensitive data, and ransomware proves a great tool for achieving their aims.


Overall, malicious insiders can use their legitimate access to the system in order to get ransomware inside your corporate network. They can use custom malware that specifically targets your organization. They can also compromise your backups or other means of defense and data restoration. Moreover, they can do all of this while staying completely under the radar.


Inadvertent insiders. Malicious insiders, however, are not the only source of ransomware infections among your employees. In fact, much more frequently ransomware gets into a system due to inadvertent employee actions, such as clicking on an infected ad or downloading malicious email attachments. Perpetrators use advanced social engineering techniques, making it possible that even an employee who’s well aware of a threat can fall victim if they aren’t careful. Malicious emails pose as ones sent by legitimate services currently in use by employees and often include some personal data that gives them additional credibility. Sometimes, emails are used to steal employee credentials, which in turn are used to infect the system.


Third-party partners. In the modern connected economy, every company has a number of third-party service providers that access their corporate network. While third-party insiders can be both inadvertent and malicious attackers, it’s worth thinking of them as a separate category, since you often don’t have a lot of direct control over their actions or the level of security on the end of your third-party partner. Usually, the only time you get an opportunity to assess their security and put some security standards in writing is when you select a third-party provider and pen your service level agreement with them. This is your opportunity to make sure that the company follows all necessary standards and has controls in place to prevent insider threats, including ransomware attacks. Beyond that, all you can do is control access, carefully manage privileges, and monitor user activity in order to detect any attacks early on.


Controlling insiders is key to ransomware prevention


To reiterate, the actions of insiders, both inadvertent and malicious, are one of the key enablers of ransomware attacks. While you can try to filter spam and web traffic and keep your software up-to-date in order to limit the number of known vulnerabilities, any email or infected ad that slips through the cracks can become a source of an attack if your employees aren’t careful.


Controlling insider actions is one of the key elements of a reliable and holistic strategy that will allow you to prevent ransomware attacks. This is an element that’s often ignored in favor of simpler and more traditional solutions.


However, the reality of the situation is that by applying measures that protect from insider threats, you protect yourself not only from ransomware but also from data leaks and breaches as well as other malicious infections, strengthening your overall security posture and making sure that your sensitive data is safe.


Here’s a set of simple measures that you can implement to greatly reduce the risk of ransomware infection as a result of actions by your employees.


Educate your employees – Probably the most important thing is to teach your employees about cyber security and how their own actions can compromise your corporate infrastructure. Even if you have robust cyber security policies and controls in place, they won’t be effective if your employees are ignoring them. Your goal is to show employees that such policies aren’t simply formalities but are a vital part of protecting your company and, by extension, their livelihoods. Make sure that your employees are your allies in the fight against cybercriminals. It’s a great idea to conduct awareness training, covering such topics as spam, social engineering, malware, and credential handling. Also, make sure to conduct regular security policy reviews, making sure that each department is aware of the measures they’re supposed to take to protect data they’re working with.


Use permission management and restrictions – One of the most important things when it comes to permission management is following the principle of least privilege. All users, particularly remote users, should be assigned the lowest level of privilege possible, and a user’s privilege level should be raised only if necessary. It’s also important to discover and manage all privileged accounts within your corporate infrastructure. Any unused privileged accounts should be immediately disabled.


Control access – When it comes to insiders, it’s extremely important to know who’s accessing your sensitive data and when. Protect your existing login procedure with two-factor authentication, which greatly reduces the risk of employee accounts being compromised. 


Use spam filtering and block email attachments – Spam, as one of the most common vectors of ransomware distribution, should be taken into particular consideration. It’s important to both educate your users on the dangers of spam and social engineering as well as to use various software tools in order to block spam and email attachments. There are a variety of spam blocklists available that are regularly updated. You can also create your own blocklist by adding spam that comes to your system. However, it’s impossible to block all spam, which is why controlling employee actions becomes such an important issue when it comes to ransomware prevention.


Employ user activity monitoring – One of the most important insider threat protection tools is user activity monitoring. Specialized user activity monitoring software (such as Ekran System) are able to record everything users see on their screens, giving you a complete look at every user action. Software like this serves both to deter a malicious insider in an organization as well as to detect insider attacks as they happen. This type of software proves a powerful investigative tool, allowing you to clearly determine who exactly caused an incident and how it happened. When it comes to ransomware attacks, user activity monitoring software can record the moment ransomware was downloaded into the system, allowing you to clearly see who’s responsible for an infection and whether it was intentional or unintentional.


How user activity monitoring tools like Ekran System can help you handle ransomware infections


Ekran System is insider threat detection software focused on monitoring user activity. It’s designed with both small and large companies in mind, offering a rich feature set and a flexible licensing scheme that makes deployments of any size cost-effective.


As an insider threat detection tool, Ekran System can help you monitor and control your employees’ actions, preventing both malicious and inadvertent attacks including those using ransomware. When it comes to ransomware specifically, there are a variety of ways in which Ekran System can enhance your defense, detection, and investigative capabilities.


  • Detect users who don’t follow security best practices – Ekran System records everything that users see on their screens. Robust customizable alerts allow the system to detect any suspicious events, including security policy violations. Each alert can have a severity level assigned to it, making it easy to filter out less severe violations from immediate notifications but also review them by generating a specialized report at the end of the month. If an employee is found to consistently violate security policies and best practices, they may be a liability and inadvertently cause an attack. Employees like these should be aware of the dangerous nature of such violations and are prime candidates for cyber security awareness training and review of existing cyber security policies within the company.
  • User activity monitoring as a deterrent – Ekran System works perfectly to deter opportune and emotional attackers. Knowing that actions are recorded and can easily be traced back to them in case of an incident often proves enough to prevent users from committing malicious activity. Moreover, Ekran System also features special driver-level agent protection, making it impossible to stop ongoing recording, while the management panel logs all user actions, making it impossible to secretly alter or delete recorded data.
  • Easily investigate the root cause of ransomware proliferation – Ekran System sends all recorded data via the network to the main database, where it’s stored in an indexed and easily searchable format. Thus, even if all data on a specific endpoint is encrypted, Ekran System will still be able to show you when the ransomware got into the system and how it happened. Whether a user has downloaded an email attachment or installed ransomware themselves for malicious purposes, you’ll be able to learn what happened and act accordingly.
  • Detect dangerous interactions that can lead to ransomware infection – The robust alerting functionality of Ekran System allows you to detect certain types of dangerous actions that can lead directly to ransomware infections. Actions such as opening specific websites, checking email, opening certain types of files (such as JavaScript files), or running certain types of software can be detected and acted upon as necessary.
  • Detect ransomware attacks by malicious users – The main specialty of Ekran System is detecting various types of insider attacks as they happen. Detecting use of mass storage, certain processes, websites, and applications – all of this can help you identify an attack in progress and stop it while the damage has yet to be done. When it comes to malicious use of ransomware, Ekran System can detect when a user is trying to copy and launch an application by detecting a suspicious file extension, use of a USB storage device, or a visit to a suspicious website. Even if ransomware isn’t detected in real time, Ekran System can still be extremely useful as an investigative tool to confirm exactly what happened and how it happened.




Protecting your company from malware is a never-ending struggle. Ransomware is only the latest in the line of tools and techniques used by hackers to attack sensitive data for profit. In order to make sure that your data is safe, you need to strengthen your defenses on all fronts, covering threats both outside and inside your organization.


This means employing a layered and holistic security strategy where a strongly protected perimeter is coupled with strong internal defenses, a solid screening process, and employee cyber security awareness programs.


In the modern cyber security landscape, it’s impossible to fully protect yourself from all vectors of attack using a single anti-malware tool. You need to employ a variety of tools and approaches in order to guarantee that your data and your corporate infrastructure are fully secure.