In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
In a twisted version of “if you can’t beat them, join them,” ransomware groups have been spotted flashing up messages offering disgruntled workers the chance to divulge their company secrets.
Security researchers at Group Sense, a ransomware negotiation services company, revealed the disturbing new tactic, with gangs such as Sarcoma ‘advertising for insiders’ to give up information along with the digital keys of their organizations.
A ransomware attack often begins with a note flashing up on screens — but this one comes with a twist alongside a ransom demand: “If you help us find this company’s dirty laundry you will be rewarded.”
Insiders have always been a key resource for cybercriminals: a disgruntled former employee or a current worker can be highly valuable to hackers.
But advertising for them so openly is a brazen show of just how lucrative — and competitive — the threat actor landscape has become.
Techopedia explores Group Sense’s findings and other reports. Is this making a mountain out of a molehill, or should we all be hunting the mole?
Key Takeaways
- Ransomware groups are now openly advertising for insider help.
- New ransomware notes are now designed to attract employees who may have access to critical company information by appealing to disgruntled insiders.
- The number of active ransomware groups increased by 40% in 2024, while credentials change hands for as little as $10.
- Companies need to consider awareness campaigns and dark web monitoring to reduce the rising risk of insider threats and ransomware.
- Security teams should prioritize photographing and documenting ransomware notes without touching compromised systems to aid investigations.
A Ransomware Note — And an Offer
Taking a look at this new type of ransomware note presented by Group Sense and first shared with Dark Reading, it starts like any other note: With a threat of destroying backups and harsh words to pressure victims to pay up.
Also included is the classic information on how to connect to Tor, the web browser that can be used to access the internet anonymously, and negotiate with the attackers.
But scrolling down to the bottom of the ransomware note is where things get interesting. The note, spotted by Group Sense, reads:
“If you help us find this company’s dirty laundry you will be rewarded. You can tell your friends about us. If you or your friend hates his boss, write to us and we will make him cry and the real hero will get a reward from us.”
Another ransomware note reads:
“Would you like to earn millions of dollars $$$? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.”
Who Reads the Ransomware Note Matters
Ransomware notes always appear on the screen of the infected device. But who reads these notes? This might be the cunning crux of the new tactic.
When a company or large organization is dealing with ransomware incidents, those notes show up on several screens. The visibility of the ransom note depends on which specific systems have been compromised by the malware.
IBM advises security teams to photograph the ransomware note “ideally by photographing the screen of the affected device with a separate device like a smartphone or camera.”
The photo will help streamline processes such as paperwork, filing reports to IT, security teams, and executives, and bringing in law enforcement.
Once the photo is taken it is advised not to modify files or restart devices — instead put them into hibernation. Attempting to modify files or devices may make things worse.
IBM breaks it down:
“When dealing with ransomware, avoid restarting infected devices. Hackers know this might be your first instinct, and some types of ransomware notice restart attempts and cause additional harm, like damaging Windows or deleting encrypted files.”
Ransomware in Stats
| Statistic | Details |
|---|---|
| Cost of Stolen Credentials on Dark Web | As low as $10 |
| Number of Active Ransomware Groups (2024) | 88, with 40 being new entrants |
| Increase in Active Threat Groups (YoY) | 40% growth despite law enforcement crackdowns |
| Average Weekly Ransomware Victims | ~93 companies |
| Most Active Ransomware Group (2024) | RansomHub, surpassing LockBit |
| Common Vulnerabilities Reported (2024) | ~40,000, a 43% increase from 2023 |
| High/Critical Severity Vulnerabilities (2024) | 44% of all CVEs reported |
Tactics to Stop Ransomware Insider Threats
Let’s talk mitigation tactics and solutions. Techopedia recommends that HR, IT, and security teams raise awareness among all level workers about this new ransomware note technique.
Addressing insider threats is also suggested, whether it be through email, a short video explanation, or a ransomware refresh meeting, it’s critical for organizations and businesses to define their own policy, involving not only workers but partners and third-party providers.
Additionally, security teams can turn to dark web monitoring to strengthen their security posture. Dark web leaks can lead to insider recruitment, and extortion of employees to gain access and cause other digital threats.
Leaks on the dark web are more common and widespread than most would think. A January 22 report from Cyble, a threat intelligence platform and cybersecurity services provider, found that the credentials of all top security vendors can be bought on the dark web for cheap.
This includes credentials from Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom, plus several other password managers, authentication systems, and device management platforms.
According to Cyble, these credentials are on sale, allowing basically anyone access to them. Cyble said:
“The credentials – available for as little as $10 in cybercrime marketplaces – span internal accounts and customer access across web and cloud environments, including internal security company enterprise and development environments that could pose substantial risks.”
Knowing if one of your employees’ credentials has been leaked and is for sale on the dark web can help you plan accordingly while supporting your employees.
Ransomware Peaks to All Times High
On January 16, 2025, GuidePoint Security, a risk mitigation cybersecurity company, released its GuidePoint Research and Intelligence Team’s (GRIT) annual 2025 Ransomware & Cyber Threat Report.
The report explains that the proliferation of ransomware-as-a-service (RaaS) is behind the surge in incidents. Additionally, as the FBI and international law enforcement partners disrupt malicious infrastructure and shut down ransomware gangs, power struggles emerge among established, rebranded, or new players making the RaaS landscape more active than ever.
“From major law enforcement disruptions to group shakeups and new behavior patterns, 2024 was at times a chaotic year for threat actors — yet ransomware activity and new groups continue to proliferate,” Jason Baker, Lead Threat Analyst at GuidePoint Security said.
GuidePoint Security says that security teams, active vulnerability management, and knowing your digital attack surface inside out are critical skills and techniques to combat ransomware in 2025.
Year-over-year active threat groups also increased by a shocking 40% despite law enforcement operations to disrupt the RaaS industry.
There are more than 88 active ransomware threat groups in 2024 — including 40 gangs completely new to the game. The report reads:
“An average of 93 ransomware victims were posted per week on the dark web. RansomHub claimed the largest number of victims in 2024, displacing LockBit as the most active ransomware group for the first time since 2021.”
Common Vulnerabilities and Exposures (CVEs) are also fueling the ransomware industry while increasing the attack rate success. With about 110 CVEs published every day, security teams are often playing catch up.
“Almost 40,000 CVEs were reported in 2024, a 43% increase from 2023 and nearly 44% of vulnerabilities were rated ‘High’ or ‘Critical’ severity.
“However, threat actors continue to rely on historical vulnerabilities from preceding years,” GuidePoint said.
The Bottom Line
The technique of honey-potting disgruntled or dissatisfied insiders is not new, but adding an advert for insiders promising big cash outs is.
Awareness, and dark web monitoring, can help reduce the threat, combined with a business response plan to ransomware.
We are still surprised by how brazen the request is. And how alarming it must be for a company if the request starts flashing up on screens all over a building.
FAQs
What is the new ransomware tactic involving insiders?
How do ransomware gangs contact potential insiders?
Why is insider recruitment a growing ransomware threat?
How can companies prevent insider ransomware threats?
References
- Home | Digital Risk Protection Services, Dark Web Monitoring & Threat Intelligence (Groupsense)
- Cybercriminals Court Traitorous Insiders via Ransom Notes (DarkReading)
- How to Recover From a Ransomware Attack (IBM)
- Tyble Finds Thousands of Security Vendor Credentials on Dark Web (Cyble)
- GRIT 2025 Ransomware & Cyber Threat Report (GuidePointSecurity)
