Social Engineering Remains a Common Ransomware Tactic


Keith Ward
April 1, 2022

Social Engineering Remains a Common Ransomware Tactic

Often in the ransomware world, the oldest, most common methods of hacking an organization remain the most effective. That includes social engineering, which, although some feel is less effective now that there’s much more widespread knowledge about it, remains a key way to infiltrate a target.

Social engineering involves convincing people into giving up valuable information like passwords, personally identifiable information (PII) like social security numbers, banking information, and so on. This can mean tricking people or bribing them, and both methods remain popular.

This is especially true for the ransomware threat group Lapsus$, which is quickly becoming one of the most notorious gangs in the world. Security journalist Brian Krebs recently discussed how Lapsus$ continues to gain footholds in enterprises, and a lot of its work is done via old-fashioned social engineering.

‘Phone-based Social Engineering’

Microsoft, Krebs reports, is a recent target of Lapsus$, and has issued an advisory about the group. Microsoft describes some of their methods:

Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.

—Microsoft, about Lapsus$ ransomware group

“Phone-based social engineering” has a familiar ring, doesn’t it? This tried-and-true hacking method is still a primary attack vector. In 2022, when pretty much everyone should be aware of these attempts, it’s still happening. And still successful.

“Paying employees” is another phrase that should send shivers down the back of everyone with security responsibilities. Ultimately, there’s probably no way to completely eliminate this kind of graft. Bribes are, of course, perhaps the oldest type of social engineering in existence. But properly vetting potential hires can go a long way toward minimizing this danger.

Don’t Give Up

It’s easy to get depressed by this kind of information, to want to throw your hands up and say it’s simply impossible to protect your organization from ransomware and other cyberattacks. But that would be the wrong attitude. Training should be ongoing for employees, and taking precautions to make sure your data is properly backed up and recoverable quickly enough to reduce the impact should also be first-line defense strategies.

The criminals who run Lapsus$ and other ransomware gangs will keep using social engineering and other methods to get your crown jewels. That’s why you need to keep up just as obsessively with the latest defensive measures. Make it so hard to hack your organization that the bad guys give up and find easier targets.

Sign Up For Our Newsletter

Don't worry, we hate spam too!

Other Articles You May Be Interested In:

Get Help Preparing For; Preventing;

Or Recovering From Ransomware Now

Get The Latest On Ransomware 
Right In Your Inbox

Sign Up To Receive Our 
Monthly Ransomware Newsletter

© Future US LLC, Full 7th Floor, 130 West 42nd Street, New York, NY 10036
envelope linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram