• United States




Hackers prey on human resources using ransomware

Aug 29, 20163 mins
Advanced Persistent ThreatsBig DataData and Information Security

Cyber risks to watch for in HR departments

ransomware moneybag
Credit: Thinkstock

Whether job seekers submit their resumes via email attachments or LinkedIn, the files present risks, and hackers continue to target human resources organizations, particularly with ransomware.

It’s no secret that this year has been deemed the year of ransomware, and for every bitcoin criminals are earning, there’s a newly evolved version making its way through your files.

Petya, though, encrypts the hard drive rather than files. It has been a popular choice of ransomware targeting HR, coming through spam emails posing as authentic job applications.

[ ALSO ON CSO: Tricks that ransomware uses to fool you ]

Brian Nesmith, CEO at Arctic Wolf said, “The latest thing is that human resources organizations in general sit adjacent to finance organizations. More importantly there are a lot of external parties that need to connect with human resources.”

Whether it’s the submission and collection of resumes, posting for job openings, or storing the personal identification information of all personnel, human resources is ripe with data. The problem is, Nesmith said, “Most HR departments are not IT literate. They know how to access the systems they have. A lot of data is coming in through contractors and may go to some executive or server, but HR is a step closer.”

HR has access to personnel records and financial systems making it a juicy target for malicious actors. Due to the very nature of their work, HR personnel open the enterprise up to greater risks simply by doing their job–opening emails and reading resume attachments.

“I would say spear phishing attacks are the most commonly used technique of hackers. If I broadcast to everybody, that’s just phishing. Spear phishing is more targeted, and they are using  ransomware because there is a value in that,” Nesmith said.

In order to understand how to mitigate these risks, security practitioners need to appreciate the motives and rationale of the hacker who is using targeted phishing. “They are very focused. In a spear phishing attack, many times I get somebody compromised, but it’s someone who won’t get me any closer to the crown jewels,” Nesmith said.

Hackers know that they have to be careful and strike a balance with their attacks, but they have come to understand that volume is not in their favor. 

“Ransomware is a little different because with most attempts to penetrate, you want to compromise the device and be fairly quiet. Ransomeware, once in, moves aggressively. HR is the perfect world for ransomware. It infects one device and thirty others get infected,” said Nesmith.

HR departments are useful to bad actors because they have access to a lot of systems. Once in, they can move laterally and they are quickly onto something really important. 

[ A LOOK BACK: The history of ransomware ]

In order to mitigate these risks, Nesmith said, “The biggest thing is to monitor the network. Couple that with user training. HR benefits by setting up a separate work station where they are uploading and looking at resumes, so do that more in a third party. Setup a separate work station.”

While many security practitioners often suggest segmenting the network as a way to mitigate risks, “Segmenting is not going to protect the device itself. They need to open the files in a cloud environment where they can set it up to not infect anything else,” Nesmith said.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author