Hackers Solicit Disgruntled Employees for Ransomware
Table of Contents
- By Dawna M. Roberts
- Published: Sep 23, 2021
- Last Updated: Mar 18, 2022
Threat researchers have discovered a Nigerian hacker soliciting disgruntled employees to install DemonWare ransomware on company computers so he can fund a pet project of his own.
What is Going On?
Crane Hassold, director of threat intelligence at Abnormal Security, decided to go undercover and respond to an email he received at his workplace. The email below promised him 40% of a 1 million score if he installed DemonWare ransomware on his employer’s computer.
The Email reads:
“If you can install and launch our DemonWare Ransomware in any computer/company main windows server physically or remotely
40 percent for you, a milli dollars for you in BTC
if you are interested, mail cryptonation92@outlook.com
Telegram : madalin888”
How Did This Come About?
On August 12, 2021, Abnormal Security identified a bunch of blocked emails on their customer’s accounts, all of which solicited employees to install ransomware on their employer’s servers.
All the emails mention DemonWare (aka the Black Kingdom and DEMON), which has been active for many years. The ransomware exploits the Microsoft Exchange Vulnerability that was announced in March (CVE-2021-27065).
Abnormal Security released a report about the emails on Thursday, August 19.
Typical ransomware attacks involve tricking someone into downloading attachments or clicking links to install malware, but this new approach is unique. Another strange aspect of the hacker asking an employee to help them commit ransomware fraud is that they invite the user to contact them directly. Abnormal Security did just that with Hassold pretending to be a disgruntled employee complicit with the scam.
The ruse employed by Abnormal Security allowed them to gather extensive information about the mindset of the hacker, who repeatedly revised his initial estimate of the ransom down from one million to only $120,000.
Through this exercise, it became clear that the ransomware actor was inexperienced and not very “very familiar with digital forensics or incident response investigations.”
The threat actor also lied about creating the ransomware himself, saying that he “programmed the software using python language.” According to Abnormal, however ‘In reality, however, all of the code for DemonWare is freely available on GitHub as a “project was made to demonstrate how easy ransomware are [sic] easy to make and how it work [sic].”’
Social Engineering Taken to the Next Level
Social engineering is often used as a tactic to engage an innocent victim in the process of crippling corporate servers. However, this innovative approach is truly visionary, finding and using disgruntled employees who are only too eager to help destroy a company financially and make a profit in the process.
The threat actor in this ploy claims he got the contact information from LinkedIn, creating an email list of CEOs and CFOs to contact his victims. He originally intended to hack those accounts using phishing campaigns but was unsuccessful, so he switched tactics to ransomware.
