publishing date icon
December 9, 2021
read time icon
5 min. read

Ransomware for insider activation: $10,000 for 2 clicks

Cybercriminals are taking a page from the annals of rigged sports gambling in a new phishing tactic that plays on workplace disgruntlement to turn employees into insider threats with the exchange of bribes for complicity in a ransomware attack.

Author image
Milla Viitala
Junior Threat Analyst
facebook iconLinkedin iconTwitter icon
Post hero image

Cybercriminals are taking a page from the annals of rigged sports gambling in a new phishing tactic that plays on workforce disgruntlement to turn employees into insider threats with the exchange of bribes for  complicity in a ransomware attack.

The fix is in

Since the advent of sports gambling, criminals have coerced athletes to sell out their team in exchange for a hefty payday; or, in the case of some boxing matches, a chance for a title shot in exchange for taking a dive. Shoeless Joe Jackson and the underpaid 1919 Chicago Black Sox threw the world series after being convinced  to turn on their notoriously stingy owner. More recently, NBA referee Tim Donaghy was imprisoned for manipulating the outcomes of games with bad calls in favor of wise guy bettors.

Ransomware for insider activation looks a lot like match-fixing, but it targets ordinary people and their company’s network instead of going after athletes and their team’s win-loss record.

Direct and to the point

In most phishing attempts, attackers will only come out of the shadows in order to hide behind a fraudulent identity that exudes a feeling of legitimacy. Well, in this case the attacker takes the opposite approach. They  just straight-up ask for the employee’s help to commit a cyber crime.

Let’s see what happens in this very direct request:

Subject: $ 10,000 for 2 clicks

$100,000 for 2 clicks! What could go wrong?

In this email, the attacker approaches the user, who works for a big company, with a “let’s stick it to the man” message in hopes of garnering their cooperation. First, the attacker strikes a sympathetic tone, saying they understand how hard it is to survive in the world dominated by big corporations and how unfair the career growth game is for employees. The message gets philosophical, saying corporations' rule over us is unfair and that the dog-eat-dog world they force us to inhabit is a tough place to be for the lowly employee.

The attacker then makes their pitch: Why not earn some extra money and make life easier?

Of course, we are talking about cyber criminals and the extra income won’t be revenue one can report on their taxes.

The attacker offers to pay the employee a tidy $10,000 - $100,000  if they perform their requested action. Considering ransomware demands with large companies are routinely creeping into the millions of dollars, that bribe to the employee represents good ROI for the threat actor.  

What is the employee’s role in the bargain?

The attacker wants the employee to download a malicious file containing ransomware to their work computer in exchange for money.

If the employee is willing to proceed, they first need to email the attacker for instructions. The instructions are simple: open a document on their work computer. Just two easy steps is all the cyber heist boils down to:

  1. Get instructions
  2. Open a document on your computer at work

Simple right?

In addition, if the employee wants to keep their privacy throughout the exchange, they can take these steps:

  1. Download the Tor browser
  2. Register email
  3. Write back by sending the email through Tor browser

This is to ensure that the employer never finds out who helped them with the breach.

What happens next?

If the employee proceeds with the request and actual ransomware is downloaded to the system, the company is in real danger. Ransomware infects the system and locks all of its data while demanding a ransom to get back access.

The general guidelines from authorities is to not pay the ransom, but rather report it to law enforcement and consider other ways to fix the situation. Paying the ransom encourages more ransomware attacks and it doesn’t guarantee that the data will be released back to you.

Here are some other things you can do if your company gets infected by a ransomware:

  • Report it to your company’s IT department
  • Locate the ransomware and isolate it to stop it from spreading
  • Analyze what type of ransomware you have been infected by to help you understand how to act upon it
  • Take a deep breath and stay calm

And if you do receive an email like this and feel like proceeding with the request, I suggest you talk about the problems in your work place rather than help cyber criminals in their criminal activities!

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.


Subscribe to our newsletter