A Nigerian hacker recently tried to use disgruntled employees of an organisation to run a ransomware cyberattack, offering them $1 million worth of bitcoin as a reward.
Abnormal Security, a cybersecurity firm, disclosed that they intercepted a number of emails sent earlier in the month to some of their customers.
The would-be attackers said they have ties to the DemonWare ransomware group, also known as the Black Kingdom or DEMON. This group has been around for a few years and was in the news for trying to exploit a significant Microsoft Exchange vulnerability.
“In this latest campaign, the sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin or 40% of the presumed $2.5 million ransom,” Abnormal Security said.
Over the course of five days, the team at Abnormal Security engaged with the hacker via Telegram pretending to be an employee that was willing to cooperate.
The hacker shared the file containing the malware and even reduced the ransom price upon hearing that the fake company’s annual revenue was $50 million.
While the hacker indicated that he got the emails of these workers through LinkedIn, it is also possible for contact details and personal information to be sold to them.
Ransomware is a form of malicious software (malware) that encrypts a victim’s files. It converts the information in the files into a secret code that hides the information’s true meaning.
Historically, ransomware has been delivered via email attachments or, more recently, using direct network access obtained through things like unsecured VPN accounts or software vulnerabilities.
Once the malware has been deployed, the victim loses access to their files and then the attacker demands a ransom from the victim to restore access to the data upon payment.
The hacker, in this case, stated that he had planned to target only senior-level executives but when that plan failed, he pivoted to a ransomware scheme.
Later in the conversation, he revealed that he was a Nigerian building a social networking platform. Abnormal security then ran an independent check that confirmed he was a Nigerian.