75% of insider cyberattacks are the work of disgruntled former employees: report

Ransomware and Business Email Compromise (BEC) topped the list of types of attacks against organizations over the past year, accounting for 70% of the total number, according to the Incident Response Report. Unit 42 of 2022 from Unit 42 of Palo Alto Networks, a cybersecurity consultancy within the company. The company compiled the findings of its report based on approximately 600 incident responses completed by Unit 42 between May 2021 and April 2022.

Here is a quick breakdown of the key findings:

  • 77% of intrusions are suspected to be caused by three initial access vectors: phishing, exploiting known software vulnerabilities, and brute force credential attacks primarily focused on the remote desktop protocol.
  • The report also revealed that more than 87% of positively identified vulnerabilities fell into one of six major categories: ProxyShell and ProxyLogon flaws in Exchange Server, Apache Log4j flaw, and vulnerabilities in Zoho ManageEngine ADSelfService Plus, Fortinet, and SonicWall.
  • Half of the compromised organizations lacked multi-factor authentication to major internet-connected systems such as corporate webmail, virtual private network (VPN), and other remote access solutions.
  • The seven most targeted industries were finance, professional and legal services, manufacturing, healthcare, high tech, and wholesale and retail. These accounted for more than 60% of cases, according to Unit 42.

Unit 42 said attackers may focus on certain industries such as finance and healthcare because they store, transmit and process large volumes of monetizable sensitive information – or simply because they use large-scale some software with known vulnerabilities.

Internal threats

It’s not always about the money, according to the report. Grudges matter too. Insider threats accounted for just 5.4% of incidents handled by Unit 42, “but they can be significant because they involve a malicious actor who knows exactly where to look to find sensitive data,” the report said. Additionally, 75% of insider threat cases involved a disgruntled ex-employee who left with company data, destroyed company data, or accessed company networks after leaving.

This could be exacerbated during a recession as layoffs and frustrations increase. Researchers predict that deteriorating economic conditions could push more people into cybercrime to make ends meet.

“Cybercrime today is an easy business to tackle due to its low cost and often high returns,” said Wendi Whitmore, senior vice president and head of unit 42 at Palo Alto Networks, in a press release. “As such, novice and unskilled threat actors can start with access to tools like hacking as an increasingly popular service available on the dark web.”


Ransomware can target sensitive organizations, such as hospitals, and can put even more pressure on organizations by threatening to release sensitive information if the ransom is not paid. Additionally, Unit 42 tracks at least 56 active ransomware-as-a-service groups operating since 2020.

“RaaS is a business for criminals, by criminals, with agreements that set the terms for providing ransomware to affiliates, often in exchange for a monthly fee or a percentage of ransoms paid,” the report said. “RaaS makes it much easier to carry out attacks, lowering the barrier to entry for potential threat actors and expanding the reach of ransomware.”

Unit 42 reported that ransomware requests reached $30 million over the past year, with some customers paying ransoms of over $8 million. Unit 42 noted that threat actors attempt to gain access to financial information when they gain unauthorized access to a victim organization and calculate ransom demands based on the revenue collected from the extorted organization.

What awaits us?

Unit 42 asked its incident responders to anticipate cyber threats on the horizon and provide some predictions. Here are some of the predictions they shared:

  • The window of time to patch high-profile vulnerabilities before exploitation will continue to shrink.
  • Widespread availability attack frameworks and hack-as-a-service based platforms will continue to increase the number of unskilled threat actors
  • Reduced anonymity and increased instability with cryptocurrency could lead to increased business email compromise or payment card-related website compromise.
  • Deteriorating economic conditions could push more people into cybercrime to make ends meet.
  • Hacktivism and politically motivated attacks will increase as groups continue to hone their ability to leverage social media and other platforms to organize and target public and private sector organizations.

The full Unit 42 report is available here.

What to read next:

CISO in the Age of Convergence: Protecting OT and IT Networks

Quick Study: Cyber ​​Resilience and Risk

The State of ITOps and SecOps: An Inside Look

Maria D. Ervin