This is a very interesting story about what many organizations fear … a true insider threat. The story goes that an organization was compromised and infected with Ransomware. One of the organization’s analyst decided to take advantage of the situation and create his own attack IE modify the original ransomware demands to his advantage. He created his own bitcoin wallet and changed the ransomware threat actor’s wallet to his own. The analyst also created an identical email alias as the original threat actors and started pressuring the organization to pay. The organization decided not to pay and launched an investigation. That investigation led to uncovering the insider’s play and eventual arrest.
The bleeping computer posted detailed about this story HERE. The lesson here is simple. You can’t assume your blue team is completely on your side. You need separation of duty, methods to validate your defense operators are doing the right job, and have measures in place for insider threat behavior. I bet there are dozens of disgruntled analyst working today due to not getting a promotion, unhappy with their leadership or team, having challenges at home, or many other reasons that could have those analyst consider taking advantage of a situation like this. In this case, the organization didn’t pay and instead launched a forensic investigation. What if the organization skipped the investigation and just paid? Would this analyst have gotten away with things? He didn’t have the decryption key so eventually there would be an investigation but it is possible if done differently that an analyst could get away with this type of behavior. Maybe he doubles the ransomware, pays the threat actors their half, passes on the encryption keys and pockets the change?
Scary stuff to think about ….