Ransomware group solicits employees to target companies

One ransomware hacker has turned to an unlikely approach to infect victims’ computer systems – by soliciting help from their victims’ employees.

In one of its latest blog reports, cybersecurity company Abnormal Security noted that it has recently identified and blocked a number of suspicious emails sent to its clients. The emails allegedly come from an individual with ties to the DemonWare ransomware group.

In the emails, the threat actor sender tells email recipients that if they can help deploy ransomware on a company computer or server, then they would be either paid US$1 million in bitcoin or 40% of the roughly US$2.5 million ransom the hacker is looking to bilk from the victim company.

Abnormal Security noted that the malicious sender even included two methods for email recipients to contact the hacker if they are interested; an Outlook email account and a Telegram username. The security firm also mentioned that ransomware is typically delivered via email attachments or direct network access obtained through system vulnerabilities. It noted it is unusual to see an actor attempt to use “basic social engineering techniques” to convince an employee to be complicit in an attack.

To better understand how such a cyberattack would work, Abnormal Security created a fictitious persona and reached out to the hacker. Through conversations and “planning” an attack, the firm learned the following:

• The threat actor was quite flexible in the amount of money they were willing to accept for the ransom, depending on the size of the victim company.
• The threat actor repeatedly attempted to alleviate any hesitations the hypothetical co-conspirator might have over the cybercrime, claiming that the ransomware would encrypt everything on the system, including any CCTV systems the company may have guarding their servers.
  • However, the threat actor assumes that their would-be accomplice has physical access to a server. Abnormal Security also highlighted that the hacker may not be familiar with digital forensics or incident response investigations if they think employees will not get caught tampering with the servers.
• The threat actor claimed to have programmed the malware using Python, but DemonWare is readily available on GitHub for ‘script kiddies’ to use.
• The threat actor collects targeting information from LinkedIn, obtaining employee contact information so that they know who to approach. The hacker also said that they originally planned to send phishing emails to senior-level executives, but when that did not work, they turned to social engineering.
• The threat actor is Nigerian due to information found on a Nigerian currency trading website.

“Knowing the actor is Nigerian really brings the entire story full circle and provides some notable context to the tactics used in the initial email we identified,” Abnormal Security said in its blog report. “For decades, West African scammers, primarily located in Nigeria, have perfected the use of social engineering in cybercrime activity.”