From guardian to threat: Understanding the Insider ransomware economy

Welcome reader to a 🔍 free deep dive. No paywall, just insights.

Brought to you by:

👣 Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 📊 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

CybersecurityHQ’s premium content is now available exclusively to CISOs at no cost. As a CISO, you get full access to all premium insights and analysis. Want in? Just reach out to me directly and I’ll get you set up.

—

Get one-year access to our deep dives, weekly Cyber Intel Podcast Report, premium content, AI Resume Builder, and more for just $299. Corporate plans are available too.

The message appeared on thousands of infected computers in 2021, but it wasn't addressed to victims. LockBit 2.0's ransom wallpaper included a recruitment pitch: "Would you like to earn millions of dollars? Our company purchases access to networks."¹ The ransomware gang wasn't just encrypting files. It was hiring.

This marked a shift in cybercrime economics. Ransomware groups, facing hardened perimeter defenses, moved from breaking in to buying their way in. The target wasn't a software vulnerability. It was the trusted employee with system access.

The threat has materialized. The 2025 Ponemon Institute Cost of Insider Risks report found organizations face average annual costs of $17.4 million from insider incidents.² While insider-facilitated ransomware remains far less common than phishing or external exploits, its economic efficiency makes it strategically persistent. For CISOs, the question isn't whether this threat exists but whether existing controls can detect when legitimate credentials serve illegitimate purposes.

The Business Model: Paying for Access

Ransomware-as-a-Service operates with specialized roles and profit-sharing. Industry analyses describe typical structures where core operators develop malware and manage payment infrastructure while affiliates who deploy ransomware receive the majority share for executing intrusions. Initial access brokers sell compromised credentials on dark web forums, providing affiliates an entry point without reconnaissance work.³

Insiders collapse this supply chain. By recruiting an employee with valid credentials, ransomware groups bypass both the broker and the affiliate's penetration effort. The insider provides direct access or deploys malware from within using authorized systems. No exploit development. No phishing campaign. No perimeter alert.

The LockBit recruitment wallpaper explicitly solicited insiders with promises of million-dollar payouts.⁴ While precise industry-wide statistics on recruitment frequency remain limited, the business logic is clear: bribing one employee costs less than funding extended exploitation campaigns against hardened targets. This creates persistent economic incentive regardless of individual operation disruptions.

The trust dynamic is fragile. Unlike formal affiliate programs with reputation systems, direct insider deals lack enforcement mechanisms. The insider risks arrest on promises that may vanish once access is provided. Conversely, the insider might report the approach to law enforcement, as the Tesla employee did in 2020.⁵

What CISOs Should Ask: When did we last assess whether our organization could detect an employee providing credentials to adversaries? Do we have mechanisms to correlate financial stress indicators with unusual network access patterns?

Market Pressures and Tactical Evolution

By 2023-2025, ransomware operators faced shrinking margins. Organizations hardened external defenses, implemented offline backups, and adopted policies against ransom payment. This forced tactical evolution toward highly selective targeting.

Coveware's analysis documented shrinking profits driving ransomware actors to be less opportunistic and more targeted, including focus on large enterprises previously avoided due to security sophistication.⁶ Penetrating these hardened environments through traditional exploitation became prohibitively expensive.

Insider bribery offered efficiency. For networks with mature security controls, internal access can bypass layered defenses entirely. The insider doesn't evade EDR or chain vulnerability exploits. They authenticate as authorized users through normal channels.

The scope matters: insider-facilitated ransomware represents a small subset of total ransomware incidents, which themselves are one attack vector among many. But for threat actors targeting specific high-value organizations with strong perimeter defenses, the ROI calculation favors insider recruitment over extended penetration campaigns.

Case Study: Tesla's Detection Through Human Reporting

In summer 2020, Egor Igorevich Kriuchkov approached a Tesla Gigafactory employee with a proposal: $500,000, later raised to $1 million, to install malware on Tesla's network.⁷ The plan involved data exfiltration followed by ransomware deployment.

Kriuchkov had established personal rapport years earlier before making the criminal proposition. He provided the malware and promised operational cover through a DDoS diversion. The employee reported the approach to Tesla management, who coordinated with the FBI. Kriuchkov was arrested in August 2020 and later pleaded guilty to conspiracy to intentionally cause damage to a protected computer.⁸

Tesla's defense wasn't technical architecture. No firewall or SIEM would have stopped an insider with valid credentials launching malware from within. The control was human: an ethical employee who refused temptation and reported the approach. This case demonstrates both the directness of modern ransomware recruitment and the critical importance of security culture enabling employees to report suspicious contacts without fear of blame.

Case Study: Ubiquiti's Privileged User Failure

Nickolas Sharp, a senior software engineer at Ubiquiti, abused his privileged AWS and GitHub access in December 2020.⁹ He stole gigabytes of confidential data, altered log retention policies to cover his tracks, and modified system logs to mislead investigators. In January 2021, Sharp sent his own employer a ransom demand posing as an external hacker.

When Ubiquiti refused payment, Sharp published stolen files and later impersonated a whistleblower to damage the company's reputation. He was arrested, pled guilty, and in May 2023 was sentenced to six years in prison for wire fraud, computer damage, and making false statements to the FBI.¹⁰

The technical lesson is architectural: Sharp's tactics exploited the implicit trust granted to privileged users. Standard perimeter defenses provided no answer when the threat originated from an authorized administrator. This highlights the catastrophic risk of single points of failure where one individual possesses unilateral ability to alter security controls and access sensitive data.

Technical Patterns: The Collapsed Kill Chain

Insiders facilitate ransomware by leveraging legitimate privileges rather than exploiting vulnerabilities. The MITRE ATT&CK framework reveals a collapsed attack chain where traditional checkpoints are bypassed.

Initial Access (T1078): The insider provides authorized credentials that allow attackers to authenticate as legitimate users. LockBit's recruitment sought network access that security tools expect to see during normal operations.¹¹ Sophos research on active adversary tactics confirms that compromised credentials continue to dominate as initial access vectors, making insider-provided credentials particularly valuable to attackers.¹²

Defense Evasion (T1562): Malicious insiders disable or tamper with security controls. An IT administrator might uninstall endpoint security agents before deploying ransomware, claiming troubleshooting needs. Sharp disabled logging by altering retention policies.¹³

Impact (T1486, T1490): The final stage involves ransomware detonation and backup destruction. Insiders know exactly where backups reside and how to delete them, ensuring victims cannot recover without paying.¹⁴

Detection shifts from blocking unauthorized actions to identifying when legitimate actions serve illegitimate purposes. This requires behavioral baselines and continuous monitoring of privileged users, capabilities most organizations lack at sufficient maturity based on industry security posture assessments.

Detection: Behavioral Analytics and Their Limits

Traditional perimeter security assumes anything inside the network can be trusted. This assumption fails when insiders collaborate with ransomware gangs. Modern detection requires behavioral analytics, but implementation faces cost and complexity.

User and Entity Behavior Analytics (UEBA) establishes baselines of normal behavior and alerts on deviations. Given that compromised credentials represent a leading initial access method across the threat landscape, behavioral analytics becomes essential for detecting when valid credentials serve malicious purposes.¹⁵ An employee downloading significantly more data than typical, or an admin account disabling security controls on multiple hosts, triggers investigation.

The challenge is operational maturity. UEBA systems generate false positives requiring analyst triage. Organizations must tune systems while correlating technical indicators with non-technical signals like employment status changes. Leading implementations integrate HR data with IT monitoring, but this raises privacy considerations and requires cross-functional governance most organizations haven't established.

Zero Trust Architecture eliminates implicit trust. NIST 800-207 mandates "never trust, always verify"—every access request requires authentication and authorization regardless of network location.¹⁶ For insiders, this means least privilege, micro-segmentation, and just-in-time access where admin permissions are time-limited rather than permanent.

But Zero Trust represents multi-year architectural transformation, not a purchased product. Implementation requires replacing legacy systems, retraining staff, and accepting temporary operational friction. Many organizations are early in this journey.

What CISOs Should Acknowledge: Detection technologies exist but require significant investment, operational maturity, and tolerance for false positives. Organizations should assess current capability gaps before assuming technical controls adequately address insider risk.

Prevalence: A High-Impact, Lower-Frequency Threat

Context matters for prioritization. While insider recruitment by ransomware gangs is real and economically rational, it remains far less common than phishing, vulnerability exploitation, or credential stuffing. Active adversary research confirms that compromised credentials and external remote services continue to lead initial access techniques, with insider collaboration representing a subset of this broader credential abuse challenge.¹⁷

The insider ransomware threat is best understood as high-impact, lower-frequency. Its significance derives from:

• Economic efficiency for targeted operations: When adversaries specifically target well-defended organizations, insider recruitment may be the only cost-effective entry path

• Detection difficulty: Behavioral anomalies are subtler than malware signatures, requiring analytics maturity many organizations lack

• Catastrophic potential: Privileged insiders can cause damage disproportionate to incident frequency

CISOs should calibrate investment accordingly. This isn't the primary threat vector for most organizations most of the time. But for enterprises managing sensitive data, critical infrastructure, or high-value IP, the potential impact justifies dedicated insider threat programs rather than treating insider risk as an afterthought.

The Governance Imperative

The insider ransomware economy thrives because traditional security models assume insiders can be trusted. That assumption no longer holds categorically, but response requires governance transformation, not just technology deployment.

Culture: Organizations should create environments where employees can report suspicious recruitment approaches without fear. Security awareness training must explicitly cover ransomware recruitment tactics with real examples, instructing staff on reporting procedures.

Architecture: Migration to Zero Trust—treating every user as untrusted by default—is no longer optional for high-risk organizations. But CISOs must acknowledge this represents multi-year transformation with significant cost and complexity.

Governance: Insider threats require cross-functional programs integrating Security, HR, Legal, and executive leadership. Success depends on collaboration: HR alerting Security of terminations within minutes, elevated monitoring for departing employees, secure channels for behavioral concerns.

The strategic roadmap requires phased implementation:

• Immediate (0-90 days): Form cross-functional insider threat working groups; implement HR-to-Security integration quick wins; establish just-in-time access for domain administrators

• Short-term (3-6 months): Assess UEBA vendor capabilities and implementation requirements; document insider incident response playbooks; conduct tabletop exercises

• Medium-term (6-18 months): Begin Zero Trust architecture planning; implement privileged access management for critical accounts; establish automated access reviews

• Long-term (18-36 months): Measure program maturity through detection time, containment speed, and privileged accounts under management; conduct annual assessments

The Emerging AI Dimension

Industry reports warn of accelerating risks from AI-generated impersonation and more sophisticated social engineering. Generative AI produces realistic voice cloning, deepfake videos, and personalized text mimicking communication styles. Attackers can impersonate executives or colleagues to manipulate legitimate insiders.

Scenarios include AI voice cloning to instruct administrators to disable security for urgent maintenance, or deepfake video messages appearing to show executives authorizing unusual actions. Security analysts describe environments where trained staff struggle to distinguish synthetic from authentic communications, enabling threat actors to present as internal leadership and bypass psychological defenses built on recognizing authority and trust.¹⁸

Countermeasures require verification protocols: out-of-band confirmation for unusual requests, multi-person approval for sensitive actions, training specifically on synthetic media threats. Organizations might deploy detection tools for synthetic media, though this creates an escalating arms race. The Zero Trust principle extends here: trust no communication fully, particularly those invoking urgency or secrecy.

Conclusion: Calibrated Response to a Real Threat

When LockBit plastered recruitment offers on victims' screens in 2021, it exposed a security model vulnerability: organizations built defenses assuming threats came from outside. The ransomware economy responded by attempting to commercialize the insider.

The threat is real but requires calibration. Insider-facilitated ransomware remains less common than external attack vectors. Most organizations face greater immediate risk from unpatched vulnerabilities and phishing than from insider recruitment. But for high-value targets with mature perimeter defenses, insiders represent the economically efficient attack path.

CISOs should implement proportional controls: security culture enabling recruitment reporting, behavioral analytics scaled to organizational risk, privileged access management for critical accounts, and cross-functional governance for insider threat. The window for denial has closed. The adversary knows this option exists. The question is whether defenders will build detection capability before the next trusted employee decides millions of dollars outweigh loyalty.

References

1. Abrams, Lawrence. "LockBit ransomware recruiting insiders to breach corporate networks." BleepingComputer, August 4, 2021.

2. Ponemon Institute. "2025 Cost of Insider Risks Global Report." DTEX Systems, 2025.

3. ChannelE2E. "Inside the Cybercrime Economy: How Threat Actors Operate Like Businesses." 2024.

4. Abrams, Lawrence. "LockBit ransomware recruiting insiders to breach corporate networks." BleepingComputer, August 4, 2021.

5. Greenberg, Andy. "A Tesla Employee Thwarted an Alleged Ransomware Plot." Wired, August 27, 2020.

6. Coveware. "Insider Threats Loom while Ransom Payment Rates Plummet." Quarterly Ransomware Report, October 24, 2025.

7. Greenberg, Andy. "A Tesla Employee Thwarted an Alleged Ransomware Plot." Wired, August 27, 2020.

8. U.S. Department of Justice. "Russian National Charged in Conspiracy to Recruit Tesla Employee to Introduce Malware into Company Computer Network." Press Release, August 22, 2020.

9. U.S. Department of Justice (SDNY). "Former Employee Sentenced To Six Years In Prison For Stealing Confidential Data And Extorting Company." Press Release, May 10, 2023.

10. U.S. Department of Justice (SDNY). "Former Employee Sentenced To Six Years In Prison For Stealing Confidential Data And Extorting Company." Press Release, May 10, 2023.

11. Abrams, Lawrence. "LockBit ransomware recruiting insiders to breach corporate networks." BleepingComputer, August 4, 2021.

12. Sophos. "Active Adversary Report for Tech Leaders: Threat landscape and IT security trends." Sophos News, 2025.

13. U.S. Department of Justice (SDNY). "Former Employee Sentenced To Six Years In Prison For Stealing Confidential Data And Extorting Company." Press Release, May 10, 2023.

14. MITRE ATT&CK. "Data Encrypted for Impact (T1486)" and "Inhibit System Recovery (T1490)." MITRE ATT&CK Framework, 2024.

15. Sophos. "Active Adversary Report for Tech Leaders: Threat landscape and IT security trends." Sophos News, 2025.

16. National Institute of Standards and Technology. "Zero Trust Architecture." NIST Special Publication 800-207, August 2020.

17. Sophos. "Active Adversary Report for Tech Leaders: Threat landscape and IT security trends." Sophos News, 2025.

18. Industry analysis based on multiple security vendor reports regarding synthetic media threats in enterprise environments, 2024-2025.