Hackers prey on human resources using ransomware

Whether job seekers submit their resumes via email attachments or LinkedIn, the files present risks, and hackers continue to target human resources organizations, particularly with ransomware.

It’s no secret that this year has been deemed the year of ransomware, and for every bitcoin criminals are earning, there’s a newly evolved version making its way through your files.

Petya, though, encrypts the hard drive rather than files. It has been a popular choice of ransomware targeting HR, coming through spam emails posing as authentic job applications.

[ ALSO ON CSO: Tricks that ransomware uses to fool you ]

Brian Nesmith, CEO at Arctic Wolf said, “The latest thing is that human resources organizations in general sit adjacent to finance organizations. More importantly there are a lot of external parties that need to connect with human resources.”

Whether it’s the submission and collection of resumes, posting for job openings, or storing the personal identification information of all personnel, human resources is ripe with data. The problem is, Nesmith said, “Most HR departments are not IT literate. They know how to access the systems they have. A lot of data is coming in through contractors and may go to some executive or server, but HR is a step closer.”

HR has access to personnel records and financial systems making it a juicy target for malicious actors. Due to the very nature of their work, HR personnel open the enterprise up to greater risks simply by doing their job–opening emails and reading resume attachments.

“I would say spear phishing attacks are the most commonly used technique of hackers. If I broadcast to everybody, that’s just phishing. Spear phishing is more targeted, and they are using  ransomware because there is a value in that,” Nesmith said.

In order to understand how to mitigate these risks, security practitioners need to appreciate the motives and rationale of the hacker who is using targeted phishing. “They are very focused. In a spear phishing attack, many times I get somebody compromised, but it’s someone who won’t get me any closer to the crown jewels,” Nesmith said.

Hackers know that they have to be careful and strike a balance with their attacks, but they have come to understand that volume is not in their favor. 

“Ransomware is a little different because with most attempts to penetrate, you want to compromise the device and be fairly quiet. Ransomeware, once in, moves aggressively. HR is the perfect world for ransomware. It infects one device and thirty others get infected,” said Nesmith.

HR departments are useful to bad actors because they have access to a lot of systems. Once in, they can move laterally and they are quickly onto something really important. 

[ A LOOK BACK: The history of ransomware ]

In order to mitigate these risks, Nesmith said, “The biggest thing is to monitor the network. Couple that with user training. HR benefits by setting up a separate work station where they are uploading and looking at resumes, so do that more in a third party. Setup a separate work station.”

While many security practitioners often suggest segmenting the network as a way to mitigate risks, “Segmenting is not going to protect the device itself. They need to open the files in a cloud environment where they can set it up to not infect anything else,” Nesmith said.