When One Employee Takes the Bait, Hackers Surf Up the Ranks to Hit the Company's Weakest Spot [Concealment 3]

Ransomware attacks via email are considered one of the most common hacking techniques. Hackers send cleverly crafted emails with subjects like "National Pension Payment Omission" or "Police Station Speeding Ticket," which are tempting enough for anyone to want to open at least once. They also disguise themselves as business partners to induce clicks.

Two years ago, a bio company that suffered a ransomware attack experienced a situation where 40% (32GB) of its 80 gigabytes (GB) of clinical trial research data was locked. The incident began when an employee in the company's management support team opened an email containing shipping documents, which appeared to be a product specification from an overseas supplier. Since the company regularly imports raw materials and equipment from abroad, the employee was deceived by the instruction to "download the attachment to view the documents" and carelessly opened the attached JPG file. Once this employee fell for the bait, the hacker began to "surf" through the company's shared folders, moving on to the computers of other employees. Eventually, the attack reached the senior researcher's computer, targeting the company's core asset: its research data.

An email sent by hackers targeting employees working at the attacked company. They disguise it as a "International Shipping Document" to appear as if from a business partner or craftily send emails like "Police Station Speeding Fine" that make you want to open them at least once. If you are deceived by the email content and run the attached file, ransomware infection begins. (Photo by the affected company)

Lee Myungsoo, head of A-FIRST (AhnLab Forensic Intelligence ReSearch Team), the dedicated cyber incident response and threat intelligence team at AhnLab, said, "Some hackers launch attacks as soon as the victim opens the ransomware executable file, but it has also become common for hackers to spend a week or even up to a month conducting reconnaissance on employees' computers, collecting critical information before inflicting significant damage." During this "ransomware cohabitation period," hackers identify internal information such as employee composition, server size, and data access privileges. They then move on to devices belonging to higher-ranking employees with greater privileges. By infiltrating the internal network through the infected computer, they quietly spy on the company before launching their attack.

Attacks known as "Business Email Compromise (BEC)" targeting Korean companies have increased significantly. Business Email Compromise refers to a method in which hackers impersonate a well-known or trusted business partner and attach a ransomware executable file. According to the "2024 Phishing Trends Report" released by Proofpoint, a security consulting firm based in Silicon Valley, the number of Business Email Compromise attempts targeting Korean companies surged by 31% compared to the previous year.

In particular, with the advent of the artificial intelligence (AI) era, email-based attacks have become even more sophisticated. The report stated, "In the past, Business Email Compromise attacks targeting non-English-speaking companies were rare due to language barriers or cultural differences, but with generative AI, it has become possible to create scam emails that sound natural, greatly expanding the range of countries that can be attacked."

Ransomware attacks can occur even if no one opens a suspicious email or receives a file. Vulnerabilities in a company's website are also a major entry point for hackers. Park Chunsik, professor of information security at Seoul Women's University, said, "While one might think that company servers are safe because external access is blocked, it is also common for hackers to use the publicly accessible company website as a pathway to infiltrate the server from outside. If the website has vulnerabilities, hackers exploit them to attack the server."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.