The recent disruption of the Ransomware-as-a-service model, which benefited hackers worldwide, is now beginning to bear fruit with hackers resorting to trying to bribe employees into injecting malware into their companies’ networks.
On Thursday, cloud security firm Abnormal Security revealed how a Nigerian cyber criminal was attempting to bribe corporate workers with rewards of up to $1 million in bitcoin if they deployed ransomware inside their corporate networks on behalf of the hackers.
The new campaign, launched by hackers associated with the DemonWare ransomware group, which is also known as Black Kingdom and DEMON, involves hackers sending emails to corporate workers offering unbelievable sums of money in exchange for doing the dirty work on their behalf. Such instances of hackers using corporate workers as ransomware mules (our words) have rarely been seen in the past.
“In this latest campaign, the sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin or 40% of the presumed $2.5 million ransom.
“The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested—an Outlook email account and a Telegram username,” wrote Crane Hassold, the Director of Threat Intelligence at Abnormal Security, in a blog post.
“Seeing an actor attempt to use basic social engineering techniques to convince an internal target to be complicit in an attack against their employer was notable.”
After the security firm got wind of a proposal made by a DemonWare member to a corporate worker, it set up a fictitious persona and contacted the hacker using their preferred channels. After contact was established, the hacker quickly sent the researchers a couple of links for an executable file that could be downloaded from file sharing sites WeTransfer or Mega.nz. The firm confirmed that the file, named “Walletconnect (1).exe” was indeed ransomware.
Further interaction with the hacker revealed that after learning that the targeted company (a fake one set up by researchers) enjoyed about $50 million in annual revenue, the hacker quickly reduced the proposed ransom amount from $2.5 million to just $120,000. The hacker also boasted about developing the ransomware himself when, in fact, the sample is freely available on GitHub as a “project was made to demonstrate how easy ransomware are [sic] easy to make and how it work [sic].”
“In this case, our actor simply needed to download the ransomware from GitHub and socially engineer someone to deploy the malware for them. This demonstrates the appeal of ransomware-as-a-service, as it lowers the barrier of entry for less technically sophisticated actors to get into the ransomware space,” Hassold wrote.
Fortunately, in this case, the researchers were able to make the hacker reveal his identity as well. He told Absolute Security that he was located in Nigeria and wished to become “the next Mark Zuckerberg” by building an African social networking platform.
Commenting on the new phenomenon of Nigerian hackers approaching corporate workers to deploy ransomware in exchange for a share of the spoils, Roger Grimes, a data-driven defense evangelist at KnowBe4, said: “This is not the first instance I have heard about employees, disgruntled or not, being paid to place ransomware into their companies. The most famous one was the $1M promised to a Tesla employee. A Russian ransomware spreader was arrested in that case.
“The big question to ask is, how prevalent is it? Is it just a few here and there or is it more widespread than believed? I do not know the answer, but there have to be some takers. That is why it is always important that ransomware victims try their best to track down how the ransomware got into their environment. It is an important step. If you do not figure out how hackers, malware, and ransomware are getting in, you are not going to stop them or their repeated attempts.
“Fortunately, we know the most common root cause, and it is not disgruntled employees. It is social engineering employees into running trojan horse programs or into providing their login credentials, followed by unpatched software. These two root causes account for likely 90% percent of all hacker and malware exploitations.
“You can defeat most social engineering that gets by your technical defenses by using security awareness training and MFA. You can worry about disgruntled employees, but while you are doing that, your loyal employee is getting socially engineered. That is your real problem,” Grimes added.