A Nigeria-based ransomware gang is conducting a campaign that dangles a $1 million bribe – or a portion of any ransom collected – to employees of targeted organisations if they will install DemonWare ransomware on their corporate network.
“We constructed a fictitious persona and reached out to the actor on Telegram to see if we could get a response,” says Crane Hassold, director of Abnormal Security, a cyber security company. “It didn’t take long for a response to come back, and the resulting conversation gave us an incredible inside look at the mindset of this threat actor.” Hassold adds: “Based on our conversation with the actor, he claimed to have successfully deployed the ransomware against three companies; however, we haven’t been able to verify his claims.”
The campaign’s operators were quick to react when a researcher answered their email with a reply through Telegram. An attacker responded in about 30 minutes, asking about whether the researcher had access to his employer’s Windows server, Hassold says. The researcher replied “yes” and was rewarded with two links leading to the sharing sites WeTransfer or Mega.nz.
“Based on an analysis of the file [examined by Hassold’s team], we were able to confirm that it was, in fact, ransomware,” Hassold notes.
Abnormal Security says the hacker confirmed he was Nigerian. But he also claimed he had developed DemonWare, even though this ransomware is freely available on GitHub. “In this case, our actor simply needed to download the ransomware from GitHub and socially engineer someone to deploy the malware for them,” he says. “This demonstrates the appeal of ransomware-as-a-service, as it lowers the barrier for less technically sophisticated actors to get into the ransomware space.”
Hassold said: “According to this actor, he had originally intended to send his targets – all senior-level executives – phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext.” “Many email-based cyber threats today have become less technically sophisticated because email defenses have gotten quite good at stopping attacks using things like malicious payloads, but aren’t very good at detecting more basic social engineering attacks. “This is why attacks like business email compromise have become so common today.”
Abnormal Security says this campaign is a logical extension of the business email compromise attacks carried out from Nigeria. Hassold says: “While the approach seems amateurish, I think it actually fits within the framework of tactics this actor has become accustomed to. Like many Nigerian threat actors, social engineering has been a core strategy for decades, so it makes sense that this actor would use those techniques even when trying to deploy something more technically sophisticated, like ransomware.”