Close this search box.

Social Engineering Remains a Common Ransomware Tactic

The author

Often in the ransomware world, the oldest, most common methods of hacking an organization remain the most effective. That includes social engineering, which, although some feel is less effective now that there’s much more widespread knowledge about it, remains a key way to infiltrate a target.

Social engineering involves convincing people into giving up valuable information like passwords, personally identifiable information (PII) like social security numbers, banking information, and so on. This can mean tricking people or bribing them, and both methods remain popular.

This is especially true for the ransomware threat group Lapsus$, which is quickly becoming one of the most notorious gangs in the world. Security journalist Brian Krebs recently discussed how Lapsus$ continues to gain footholds in enterprises, and a lot of its work is done via old-fashioned social engineering.

‘Phone-based Social Engineering’

Microsoft, Krebs reports, is a recent target of Lapsus$, and has issued an advisory about the group. Microsoft describes some of their methods:

Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.

—Microsoft, about Lapsus$ ransomware group

“Phone-based social engineering” has a familiar ring, doesn’t it? This tried-and-true hacking method is still a primary attack vector. In 2022, when pretty much everyone should be aware of these attempts, it’s still happening. And still successful.

“Paying employees” is another phrase that should send shivers down the back of everyone with security responsibilities. Ultimately, there’s probably no way to completely eliminate this kind of graft. Bribes are, of course, perhaps the oldest type of social engineering in existence. But properly vetting potential hires can go a long way toward minimizing this danger.

Don’t Give Up

It’s easy to get depressed by this kind of information, to want to throw your hands up and say it’s simply impossible to protect your organization from ransomware and other cyberattacks. But that would be the wrong attitude. Training should be ongoing for employees, and taking precautions to make sure your data is properly backed up and recoverable quickly enough to reduce the impact should also be first-line defense strategies.

The criminals who run Lapsus$ and other ransomware gangs will keep using social engineering and other methods to get your crown jewels. That’s why you need to keep up just as obsessively with the latest defensive measures. Make it so hard to hack your organization that the bad guys give up and find easier targets.

Sign Up For Our Newsletter

Don’t worry, we hate spam too!

Get The Latest On Ransomware Right In Your Inbox

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

Is This Your Business?
Get In Touch

Contact Us To Sponsor Your Business Listing & Learn More About The Benfits.

Before You Go!
Sign up to stay up to date with everything ransomware

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

JUST RELEASED: The 2024 State of Ransomware Survey is in.


Share via
Copy link
Powered by Social Snap