Ransomware isn’t just a cyber problem – it’s an insider threat

Ransomware attacks are no longer the exclusive domain of faceless hackers exploiting remote digital vulnerabilities. Increasingly, they hinge on a more accessible and exploitable asset: insiders. Whether negligent, compromised or complicit, employees, contractors and third-party partners are now central to the ransomware threat landscape. 

Rethinking the narrative

The traditional story of ransomware centres on brute-force attacks, phishing or vulnerability exploitation from the outside. But recent high-profile incidents reveal a more complex picture – one where the “attack surface” includes people inside the organisation. Social engineering, third-party compromise and credential misuse are the new frontlines of ransomware campaigns. 

The insider factor in ransomware: sector highlights

Retail sector

Marks & Spencer (April 2025) 
The Scattered Spider group impersonated M&S IT staff to bypass service desk protocols. By disabling multi-factor authentication, they deployed ransomware that disrupted online shopping, payments and loyalty systems – wiping £300 million from operating profits and £1 billion from market value. 

Co-op Group (April 2025)
A ransomware attack exploited third-party vendor vulnerabilities to access and compromise Co-op’s back-office and customer service systems, exfiltrating sensitive data and crippling daily operations. 

Harrods (April 2025)
Although ransomware was not deployed, a thwarted attack prompted a lockdown of internet access across Harrods’ sites. The attempt exposed weaknesses in third-party access control and the importance of insider vigilance. 

Victoria’s Secret (UK) (May 2025)
A ransomware attack took systems offline for days and delayed financial disclosures. Internal credential mismanagement provided the entry point. 

Law enforcement sector

Greater Manchester Police (September 2023)
Over 12,500 staff had personal data compromised when ransomware targeted their ID card supplier. Exposed information included names, photos and badge numbers – valuable assets for coercion or impersonation. 

Metropolitan Police (August 2023)
A third-party supplier breach led to unauthorised access to sensitive personnel records, raising concerns over both officer safety and insider exposure. 

Eurofins Forensics (June 2019)
The ransomware attack that halted forensic services across the UK forced law enforcement to delay thousands of investigations. Reports indicate the ransom was paid to restore operations. 

Healthcare sector

NHS 111 / Advanced (August 2022)
Attackers used a compromised third-party credential to deploy LockBit 3.0 ransomware, disrupting ambulance dispatch, referrals and mental health services. The impact lasted weeks, and data exfiltration was confirmed. 

Local government

Hackney Council (October 2020)
Pysa ransomware actors exploited a dormant internal account and an unpatched vulnerability, crippling council services from housing to benefits. The recovery cost exceeded £12 million. 

Redcar & Cleveland Council (2020)
A phishing email led to a total systems lockdown and weeks of manual operations. The financial impact surpassed £10 million – all triggered by a simple staff mistake. 

What ransomware groups look for in insiders

Ransomware operators increasingly exploit: 

• Financially vulnerable individuals – those under economic stress are more susceptible to coercion or bribery 
• Privileged access holders – admin-level users offer the fastest route to mission-critical systems 
• Disgruntled employees – workplace dissatisfaction can drive malicious intent or indifference to risk 
• Third-party vendors – external partners with internal access, often less monitored, are easy prey 

Why traditional cybersecurity falls short

Security protocols typically assume threats come from outside. This leaves insider actions – whether malicious or accidental – dangerously under-monitored. 

Key shortcomings include: 

• Trusted status – insiders bypass many traditional cyber defences simply by operating within the perimeter 
• Limited behavioural monitoring – subtle anomalies like off-hour access or unusual data transfers may not raise alerts 
• Under-scrutinised third-party access – external partners often enjoy extensive access with limited oversight 

An intelligence-led insider risk strategy

To counter this evolving threat, organisations must adopt a more holistic, intelligence-driven approach: 

• Behavioural analytics – leverage tools that detect deviations in user behaviour and access patterns 
• Cross-functional collaboration – align IT, HR, compliance and security teams to create a unified risk profile of users 
• Third-party risk management – rigorously vet and continuously monitor vendors, especially those with privileged access 

Reframing the ransomware risk

Recent incidents involving M&S and Harrods make one thing clear: ransomware is no longer just a cybersecurity problem – it’s a human and operational risk. Defenders must understand that ransomware may not start with a firewall breach. It could begin with a message to an employee’s personal device, or a compromised contractor logging in with trusted credentials.

Want to stay ahead of insider threats?

Access our latest Insider Threat Assessment to understand why insider risk is increasing and why traditional cybersecurity tools like SIEMs aren’t enough. This report uncovers a new intelligence-led approach for early detection and prevention.

Inside you’ll find:

• The evolving tactics and motivations behind insider incidents
• Real-world case studies from government, law enforcement, defence and private sectors
• Why insider threats often evade traditional cyber defences
• A practical framework for behavioural monitoring and cross-functional response
• How Clue enables organisations to uncover hidden risks through integrated intelligence

Get the full report and strengthen your insider risk strategy today.