Researchers at Abnormal Security have identified a Nigerian threat actor attempting to recruit employees by offering them to pay $1 million in Bitcoin to deploy Black Kingdom ransomware on companies’ computers or Windows servers as part of an insider threat scheme.
“The sender tells the employee that if they're able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in Bitcoin or 40% of the presumed $2.5 million ransom. The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested—an Outlook email account and a Telegram username,” researchers explained in a report published on Thursday.
Earlier in March, Black Kingdom, also widely known as DemonWare, caught the attention of the researchers when attackers were found abusing ProxyLogon vulnerabilities affecting Microsoft Exchange Servers to infect an unpatched system with the ransomware strains.
Security researchers identified and blocked phishing emails on August 12 that solicited recipients to infect their employers’ networks with ransomware. Researchers created a fake identity to communicate with the ransomware operator — who went by the screen name “Pablo”.
Crane Hassold, director of threat intelligence for Abnormal Security, communicated with the ransomware operator via telegram and was able to talk the mastermind into sending what turned out to be a file named “Walletconnect (1).exe” containing the ransomware. The amount of the planned ransom demand changed, dropping from $2.5 million to as low as $120,000.
“At one point in the conversation, we asked the actor if he had created the ransomware himself or if he was just using it. The actor told us that he ‘programmed the software using python language. In reality, however, all of the code for DemonWare is freely available on GitHub. … In this case, our actor simply needed to download the ransomware from GitHub and socially engineer someone to deploy the malware for them,” Hassold wrote in the blog post.
The use of the DemonWare malware “demonstrates the appeal of ransomware-as-a-service, as it lowers the barrier of entry for less technically sophisticated actors to get into the ransomware space,” Hassold added.
Researchers believe the ransomware operator with whom they communicated was likely Nigerian, “based on information found on a Naira (Nigerian currency) trading website and a Russian social media platform website”.
A signature style of Nigerian fraudsters is social engineering, most infamously in the “Nigerian prince” schemes in which scammers attempt to lure victims to send money under another guise.
“It makes sense that a Nigerian actor would fall back on using similar social engineering techniques, even when attempting to successfully deploy a more technically sophisticated attack like ransomware,” Hassold concluded.