{"id":23322,"date":"2021-08-25T19:42:23","date_gmt":"2021-08-25T18:42:23","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/please-install-ransomware\/23322\/"},"modified":"2021-08-25T19:42:23","modified_gmt":"2021-08-25T18:42:23","slug":"please-install-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/please-install-ransomware\/23322\/","title":{"rendered":"Please encrypt your server"},"content":{"rendered":"

When ransomware enters a corporate network, it usually does so through e-mail, software vulnerabilities, or unprotected remote connections. Having an insider deliberately deploy malware seems implausible. However, as real-world evidence<\/a> shows, some attackers think this method of delivering ransomware is effective, and some attackers are now recruiting company employees by offering them a percentage of the ransom.<\/p>\n

A creative delivery scheme<\/h2>\n

As absurd as it may sound, some seek out accomplices through spam. For example, one message directly offers \u201c40%, $1 million in bitcoin\u201d to anyone willing to install and deploy DemonWare ransomware on their organization\u2019s main Windows server.<\/p>\n

Researchers masquerading as interested accomplices received a link to a file along with instructions for launching the malware. However, the person behind the mailing was apparently an inexperienced cybercriminal; the researchers had no trouble getting him to talk. The threat actor in question was a young Nigerian man who had scoured LinkedIn, looking for senior executives to contact. He abandoned his original plan \u2014 e-mailing malware \u2014 once he realized how strong corporate cybersecurity systems are.<\/p>\n

What\u2019s wrong with the scheme?<\/h2>\n

To convince his targets their participation would be safe, the threat actor claimed the ransomware would erase all evidence of the crime, including any potential security footage, and recommended deleting the executable file to avoid leaving any clues. One might expect the criminal planned to trick his accomplices \u2014 arguably, once the server was encrypted, he would not care what happened to the person who did it \u2014 but he doesn\u2019t appear to have understood how digital forensics investigations \u00a0work.<\/p>\n

The decision to use DemonWare also betrayed his inexperience. Although attackers do still use DemonWare, it is actually rather unsophisticated malware whose source code is available on GitHub. The malware\u2019s creator allegedly made it to demonstrate how easy it is to write ransomware.<\/p>\n

How to stay safe<\/h2>\n

Although this example is just that \u2014 one specific example \u2014 insiders taking part in a ransomware attack is entirely realistic. Far more likely than someone launching malware on a network, however, is a scenario in which someone sells access to an organization\u2019s information system.<\/p>\n

The market for access to corporate networks has long existed on the dark web, and ransomers often purchase<\/a> access from other cybercriminals \u2014 so-called Initial Access Brokers. It\u2019s they who may be specifically interested in buying data for remote access to the organization\u2019s network or cloud servers. Ads for such purchases aimed at disgruntled or fired employees float around the dark web.<\/p>\n

To ensure no one jeopardizes your company\u2019s security by letting ransomers into its networks, we recommend you:<\/p>\n