Researchers have discovered a Nigerian threat actor trying to turn an organization’s employees into insider threats by soliciting them to deploy ransomware for a cut of the ransom profits.
Researchers at Abnormal Security identified and blocked a number of emails sent earlier this month to some its customers that offered people $1 million in bitcoin to install DemonWare ransomware. The would-be attackers said they have ties to the DemonWare ransomware group, also known as Black Kingdom or DEMON, they said.
“In this latest campaign, the sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom,” researchers wrote in a report published Thursday about the campaign. “The employee is told they can launch the ransomware physically or remotely.”
DemonWare, a Nigeria-based ransomware group, has been around for a few years. The group was last seen alongside numerous other threat actors launching a barrage of attacks targeting Microsoft Exchange’s ProxyLogon set of vulnerabilities, CVE-2021-27065, which were discovered in March.
The campaign begins with an initial email soliciting help from an employee to install ransomware while dangling the offer of payment if the person follows through. It also gives the recipient—who attackers later said they found via LinkedIn—a way to contact the sender of the email.
Researchers from Abnormal Security did just that to find out more about the threat actor and the campaign. They sent a message back indicating that they had viewed the email and asked what they needed to do to help, they reported.
“A half hour later, the actor responded and reiterated what was included in the initial email, followed by a question about whether we’d be able to access our fake company’s Windows server,” researchers wrote. “Of course, our fictitious persona would have access to the server, so we responded that we could and asked how the actor would send the ransomware to us.”
Researchers continued to communicate over five days with the threat actors as if they were willing to be a part of the scam. “Because we were able to engage with him, we were better able to understand his motivations and tactics,” they wrote in the report.
Changing the Game
Upon being contacted, the threat actor sent researchers two links for an executable file that could be downloaded on the file-sharing sites WeTransfer or Mega.nz
“The file was named “Walletconnect (1).exe” and based on an analysis of the file, we were able to confirm that it was, in fact, ransomware,” researchers noted.
The threat actor showed flexibility in how much ransom he was willing to receive from the company, researchers said. While the original amount was $2.5 million in bitcoin, the threat actor quickly lowered that sum to $250,000 and then to $120,000 when researchers said that the fake company for which they worked had an annual revenue of $50 million.
“Throughout the conversation, the actor repeatedly tried to alleviate any hesitations we may have had by ensuring us that we wouldn’t get caught, since the ransomware would encrypt everything on the system,” researchers said. “According to the actor, this would include any CCTV (closed-circuit television) files that may be stored on the server.”
Through initial findings from research done before they opened the chain of communication, they said that the actor with whom they communicated was likely Nigerian, “based on information found on a Naira (Nigerian currency) trading website and a Russian social media platform website,” they said.
Social Engineering as Cybercrime Strategy
Overall, the experiment provided new insight and context regarding how West African threat actors—who are primarily located in Nigeria—”have perfected the use of social engineering in cybercrime activity,” researchers said.
Indeed, there long has been “a blurry line” between cybercrime and social engineering, observed one security professional. “This is an example of how the two are intertwined,” said Tim Erlin, vice president of strategy at Tripwire, of the campaign.
“As people become better at recognizing and avoiding phishing, it should be no surprise to see attackers adopt new tactics to accomplish their goals,” he said in an email to Threatpost.
The campaign also sheds light on how attackers leverage the idea of a disgruntled insider to try to get them to do their dirty work for them—a concept that also isn’t new, but can provide key insight into yet another way ransomware can find its way onto an organization’s network, noted another security professional.
“It is always important that ransomware victims try their best to track down how the ransomware got into their environment,” Roger Grimes, data-driven-defense analyst at KnowBe4. “It is an important step. If you do not figure out how hackers, malware and ransomware are getting in, you are not going to stop them or their repeated attempts.”