In cybersecurity, we often say that attackers only need to be right once – and defenders need to be right every time. Traditionally, we’ve focused on perimeter breaches, phishing campaigns, and zero-day exploits. But increasingly, attackers are bypassing these hardened defenses and taking a different route: persuading someone on the inside to hand over the keys.
A recent BBC investigation illustrated this shift in stark terms. A journalist was approached by the ransomware group Medusa and offered a portion of a ransom if they provided login access to BBC systems. The pitch was bold – promises of financial freedom, reassurances of secrecy, and even claims that “you wouldn’t need to work ever again”.
This isn’t a one-off stunt. It’s a sign of how ransomware has matured into an ecosystem that blends technical sophistication with psychological manipulation. For organizations everywhere, the message is clear: the threat landscape now includes insider recruitment as a mainstream tactic, and security strategies must evolve to meet it.
Why insider recruitment is effective
Insider recruitment works because it targets the human side of security. Attackers know that people are often the most direct route into an organization, and they frame their pitches in ways that make cooperation seem both easy and rational.
Bypassing traditional defenses – With a valid set of credentials, attackers can avoid the full gauntlet of security controls: MFA, endpoint detection, and intrusion monitoring. This shortcut is attractive because it saves time and reduces their risk of detection.
Exploiting financial and emotional pressure – Cybercriminals deliberately position themselves as problem-solvers to the individual. They lean on financial stress, feelings of being undervalued, or promises of a “life-changing” payday.
Framing it as low risk – By promising anonymity, offering “trust payments,” and pointing to supposed past successes, groups make the insider feel shielded from consequences.
This strategy is not limited to theory. Earlier this year, a Brazilian IT worker was arrested for selling credentials that police say led to $100 million in losses for a bank. The BBC journalist’s encounter with Medusa reflects the same playbook – one that is being deployed globally across industries.
For defenders, the lesson is that insider threats aren’t just about disgruntled employees or unintentional mistakes. They are now being actively cultivated by organized groups with the patience and resources to make the pitch.
The Medusa playbook
Medusa operates like a business. As a ransomware-as-a-service (RaaS) provider, they maintain infrastructure that affiliates can use to launch attacks. They even employ ‘reach out managers’ whose job is to recruit insiders. In the BBC case, the journalist was offered not only a share of potential ransom but also an upfront ‘deposit’ in bitcoin to demonstrate credibility.
When persuasion wasn’t enough, the group escalated. The journalist described being hit with MFA bombing – a barrage of login approval requests designed to overwhelm a user into clicking ‘accept’. It’s the same technique used to breach Uber in 2022, and it has become a common fallback when attackers want to turn social engineering into system access.
This multi-pronged approach – blending conversation, coercion, and technical pressure – reflects the reality of modern ransomware groups. They are resourceful, opportunistic, and adaptive. And while Medusa is just one example, the tactics they deploy are quickly becoming industry-wide norms.
Protecting your organization against insider threats
The good news is that organizations can prepare for this threat, but it requires expanding the definition of ransomware defense. Technology alone isn’t enough – people and processes are equally critical.
Build a culture of trust and awareness – Employees should feel safe reporting outreach attempts. When staff believe they’ll be punished or ridiculed, attackers gain the upper hand.
Strengthen identity and access controls – Adopt phishing-resistant MFA methods, such as hardware tokens, and limit privileged access to only those who truly need it.
Monitor for unusual behavior – Tools like user and entity behavior analytics (UEBA) can flag anomalies such as out-of-hours logins, sudden privilege escalations, or unusual data transfers.
Simulate the threat – Red teaming and tabletop exercises should now include insider recruitment scenarios. These simulations often reveal blind spots in detection and response processes.
Clarify response protocols – Have defined playbooks for account lockdown, escalation, and communication. Rapid detection is only valuable if paired with rapid response.
At Rapid7, our work across managed detection and response (MDR), identity security, and continuous red teaming gives us firsthand insight into how attackers operate – and how defenders can shut them down before damage occurs.
Start reducing insider risk today
The BBC journalist’s story provides a rare glimpse into how ransomware groups pitch, persuade, and pressure would-be insiders. It reinforces an uncomfortable truth: attackers aren’t only exploiting vulnerabilities in code – they’re exploiting vulnerabilities in people.
For security leaders, this means building strategies that acknowledge and defend against insider risk. That includes technology to detect anomalies, awareness programs that empower employees, and response plans that move as fast as the attackers themselves.
At Rapid7, we help organizations stay ahead of these challenges by combining deep expertise with proven services. From strengthening identity programs to simulating insider threats and delivering 24x7 detection, our team equips you to face today’s ransomware tactics with confidence.
Contact us today to learn how Rapid7 can help your organization reduce insider risk and stay ahead of evolving ransomware operations.
- Ransomware
- Threat Intel