Skip to content
Campaign emails company insiders & initially offers 1m in Bitcoin if they install Demon Ware on an organisation’s network.
Researchers have discovered a Nigerian threat player trying to turn an organisation’s employees into insider threats by soliciting them to deploy ransomware for a cut of the ransom profits.
$1m in Bitcoin
Researchers at Abnormal Security identified & blocked a number of emails sent earlier this month to some its customers that offered people $1m in bitcoin to install Demon Ware ransomware. The would-be attackers explained they have ties to the Demon Ware ransomware group, also known as Black Kingdom or DEMON, they stated.
“In this latest campaign, the sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1m in bitcoin, or 40% of the presumed $2.5m ransom,” researchers wrote in a report published Thurs. about the campaign. “The employee is told they can launch the ransomware physically or remotely.”
Demon Ware, a Nigeria-based ransomware group, has been around for a few years. The group was last seen alongside many other threat players launching a barrage of attacks targeting Microsoft Exchange’s Proxy Logon set of vulnerabilities, CVE-2021-27065, which were discovered in March.
Accomplice-Based Campaign
The campaign begins with an initial email soliciting help from an employee to install ransomware while dangling the offer of payment if the person follows through. It also gives the recipient—who attackers later said they found via LinkedIn—a way to contact the sender of the email.
Researchers from Abnormal Security did just that to find out more about the threat player & the campaign. They sent a message back indicating that they had viewed the email & asked what they needed to do to help, they reported.
Windows Server
“A half hour later, the actor responded & reiterated what was included in the initial email, followed by a question about whether we’d be able to access our fake company’s Windows server,” researchers wrote.
“Of course, our fictitious persona would have access to the server, so we responded that we could & asked how the actor would send the ransomware to us.”
Researchers continued to communicate over 5 days with the threat players as if they were willing to be a part of the scam. “Because we were able to engage with him, we were better able to understand his motivations and tactics,” they wrote in the report.
Changing the Game
Upon being contacted, the threat player sent researchers 2 links for an executable file that could be downloaded on the file-sharing sites WeTransfer or Mega.nz
“The file was named “Wallet connect (1).exe” & based on an analysis of the file, we were able to confirm that it was, in fact, ransomware,” researchers noted.
The threat player showed flexibility in how much ransom he was willing to receive from the company, researchers revealed. While the original amount was $2.5m in bitcoin, the threat player quickly lowered that sum to $250k & then to $120k when researchers said that the phoney company for which they worked had an annual revenue of $50m.
Encrypt Everything
“Throughout the conversation, the actor repeatedly tried to alleviate any hesitations we may have had by ensuring us that we wouldn’t get caught, since the ransomware would encrypt everything on the system,” researchers stated.
“According to the actor, this would include any CCTV (closed-circuit television) files that may be stored on the server.”
Through initial findings from research done before they opened the chain of communication, they said that the player with whom they communicated was likely Nigerian, “based on information found on a Naira (Nigerian currency) trading website & a Russian social media platform website,” they explained.
Cybercrime Strategy
The experiment provided new insight & context regarding how W. African threat players—who are mainly located in Nigeria—”have perfected the use of social engineering in cyber-crime activity,” researchers explained.
Indeed, there long has been “a blurry line” between cyber-crime & social engineering, observed 1 security professional. “This is an example of how the 2 are intertwined,” outlined Tim Erlin, VP of Strategy at Tripwire, of the campaign.
Avoiding Phishing
“As people become better at recognising & avoiding phishing, it should be no surprise to see attackers adopt new tactics to accomplish their goals,” he observed
The campaign also shows how attackers use the idea of a disgruntled insider to try to get them to do their work for them—a concept that also isn’t new but can provide an insight into yet another way ransomware can find its way onto an organisation’s network, noted another security professional.
Ransomware Victims
“It is always important that ransomware victims try their best to track down how the ransomware got into their environment,” Roger Grimes, Data-Driven-Defence Analyst at KnowBe4.
“It is an important step. If you do not figure out how hackers, malware & ransomware are getting in, you are not going to stop them or their repeated attempts.”
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/
