Serviceteam IT Security News

DemonWare Solicits Staff to Deploy Ransomware

A cyber-criminal group has been emailing employees and asking them to help attack their own companies with malware. 

The insider threat solicitation scheme was discovered by researchers at Abnormal Security. The author of the emails is someone who claims to have links with the DemonWare ransomware group, also known as Black Kingdom and DEMON.

"On August 12, 2021, we identified and blocked a number of emails sent to Abnormal Security customers soliciting them to become accomplices in an insider threat scheme," stated Abnormal Security's Crane Hassold. 

"The goal was for them to infect their companies’ networks with ransomware."

To entice the employees into becoming their criminal accomplices, the email's author offers them a cut of the loot. 

“The sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1m in Bitcoin, or 40% of the presumed $2.5m ransom," wrote Hassold. 

Employees are told how to launch the ransomware physically or remotely. Interested employees are instructed to contact the sender via an email address or via Telegram. 

This new and rather brazen attack tactic stood out to researchers, who are used to seeing ransomware deployed via other, more subtle, methods. 

"Historically, ransomware has been delivered via email attachments or, more recently, using direct network access obtained through things like unsecure VPN accounts or software vulnerabilities," wrote Hassold. "Seeing an actor attempt to use basic social engineering techniques to convince an internal target to be complicit in an attack against their employer was notable."

Researchers created a fake persona and contacted the attacker asking how they could help in the attack. The attacker sent download links to an executable file that researchers confirmed was ransomware. 

Further communication with the attacker revealed that he picked his targets and found their email addresses on the networking site LinkedIn. 

"You can defeat most social engineering that gets by your technical defenses by using security awareness training and MFA,” commented Roger Grimes, data driven defense evangelist at KnowBe4

“You can worry about disgruntled employees, but while you are doing that, your loyal employee is getting socially engineered. That is your real problem."

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply