75% of Insider Cyber Attacks are the Work of Disgruntled Ex-Employees: Report

According to Unit 42 research, ransomware and business email compromise top the cyber attack charts this year, and economic pressures could encourage more people to enter a new career in cybercrime.

Jessica Davis, Senior Editor

July 27, 2022

4 Min Read
Ransomware message on a screen
JAM via Alamy Stock Photos

Ransomware and business email compromises (BEC) topped the list of the types of attacks on organizations in the past year, making up 70% of the total number, according to the 2022 Unit 42 Incident Response Report from Unit 42 by Palo Alto Networks, a cybersecurity consultancy within the company. The firm compiled its report findings based on approximately 600 incident responses completed by Unit 42 between May 2021 and April 2022.

Here’s a quick breakdown of key findings:

  • 77% of intrusions are suspected to be caused by three initial access vectors – phishing, exploitation of known software vulnerabilities, and brute-force credential attacks focused primarily on remote desktop protocol.

  • The report also found that more than 87% of positively identified vulnerabilities fell into one of six major categories – the ProxyShell and ProxyLogon flaws in Exchange Server, the Apache Log4j flaw, and vulnerabilities in Zoho ManageEngine ADSelfService Plus, Fortinet, and SonicWall.

  • Half of the compromised organizations lacked multifactor authentication on key internet-facing systems such as corporate webmail, virtual private network (VPN), and other remote access solutions.

  • The seven most targeted industries were finance, professional and legal services, manufacturing, healthcare, high-tech, and wholesale and retail. These accounted for over 60% of cases, according to Unit 42.

Unit 42 said that attackers may focus on certain industries such as finance and healthcare because they store, transmit, and process high volumes of monetizable sensitive information – or simply because they make widespread use of certain software with known vulnerabilities.

Insider Threats

It’s not always about the money, according to the report. Grudges matter, too. Insider threats made up just 5.4% of the incidents Unit 42 handled, “but they can be significant because they involve a malicious actor who knows exactly where to look to find sensitive data,” the report said. What’s more, 75% of insider threat cases involved a disgruntled ex-employee who left with company data, destroyed company data, or accessed company networks after their departure.

This could be exacerbated during a recession, as layoffs and frustrations rise. Researchers predict that declining economic conditions could push more people into cybercrime as a way to make ends meet.

"Right now, cybercrime is an easy business to get into because of its low cost and often high returns," said Wendi Whitmore, SVP and head of Unit 42 at Palo Alto Networks, in a statement. “As such, unskilled, novice threat actors can get started with access to tools like hacking-as-a-service becoming more popular and available on the dark web.”


Ransomware can target sensitive organizations, such as hospitals, and can put even more pressure on organizations with threats of releasing sensitive information if the ransom is not paid. Additionally, Unit 42 has been tracking at least 56 active “ransomware as a service” groups operating since 2020.

“RaaS is a business for criminals, by criminals, with agreements that set the terms for providing ransomware to affiliates often in exchange for monthly fees or a percentage of ransoms paid,” the report said. “RaaS makes carrying out attacks much easier, lowering the barrier to entry for would-be threat actors, and expanding the reach of ransomware.”

Unit 42 reported that ransomware demands have been as high as $30 million over the past year, and some clients have paid ransoms of over $8 million. Unit 42 noted that threat actors attempt to access financial information when they have unauthorized access to a victim organization and calculate ransom demands based on the perceived revenue of the organization being extorted.

What’s Ahead?

Unit 42 asked its incident responders to look ahead to the cyberthreats on the horizon and provide some predictions. Here are some of the predictions they shared:

  • The window of time to patch high-profile vulnerabilities before exploitation will continue to shrink.

  • Widespread availability attack frameworks and hacking-as-a-service-based platforms will continue to increase the number of unskilled threat actors

  • Reduced anonymity and increased instability with cryptocurrency could lead to a rise in business email compromise or payment card-related website compromise.

  • Declining economic conditions could push more people into cybercrime as a way to make ends meet.

  • Hacktivism and politically motivated attacks will increase as groups continue to hone their ability to leverage social media and other platforms to organize and target public and private sector organizations.

The full Unit 42 report is available here.

What to Read Next:

CISO in the Age of Convergence: Protecting OT and IT Networks

Quick Study: Cyber Resiliency and Risk

The State of ITOps and SecOps: An Inside Look

About the Author(s)

Jessica Davis

Senior Editor

Jessica Davis is a Senior Editor at InformationWeek. She covers enterprise IT leadership, careers, artificial intelligence, data and analytics, and enterprise software. She has spent a career covering the intersection of business and technology. Follow her on twitter: @jessicadavis.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights