Hacker caught offering money to corporate workers to deploy ransomware

Hacker caught offering money to corporate workers to deploy ransomware

Hackers caught offering money to employees to deploy ransomware on their behalf

The recent disruption of the Ransomware-as-a-service model, which benefited hackers worldwide, is now beginning to bear fruit with hackers resorting to trying to bribe employees into injecting malware into their companies’ networks.

On Thursday, cloud security firm Abnormal Security revealed how a Nigerian cyber criminal was attempting to bribe corporate workers with rewards of up to $1 million in bitcoin if they deployed ransomware inside their corporate networks on behalf of the hackers.

The new campaign, launched by hackers associated with the DemonWare ransomware group, which is also known as Black Kingdom and DEMON, involves hackers sending emails to corporate workers offering unbelievable sums of money in exchange for doing the dirty work on their behalf. Such instances of hackers using corporate workers as ransomware mules (our words) have rarely been seen in the past.

“In this latest campaign, the sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin or 40% of the presumed $2.5 million ransom.

“The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested—an Outlook email account and a Telegram username,” wrote Crane Hassold, the Director of Threat Intelligence at Abnormal Security, in a blog post.

“Seeing an actor attempt to use basic social engineering techniques to convince an internal target to be complicit in an attack against their employer was notable.”

After the security firm got wind of a proposal made by a DemonWare member to a corporate worker, it set up a fictitious persona and contacted the hacker using their preferred channels. After contact was established, the hacker quickly sent the researchers a couple of links for an executable file that could be downloaded from file sharing sites WeTransfer or Mega.nz. The firm confirmed that the file, named “Walletconnect (1).exe” was indeed ransomware.

Further interaction with the hacker revealed that after learning that the targeted company (a fake one set up by researchers) enjoyed about $50 million in annual revenue, the hacker quickly reduced the proposed ransom amount from $2.5 million to just $120,000. The hacker also boasted about developing the ransomware himself when, in fact, the sample is freely available on GitHub as a “project was made to demonstrate how easy ransomware are [sic] easy to make and how it work [sic].”

“In this case, our actor simply needed to download the ransomware from GitHub and socially engineer someone to deploy the malware for them. This demonstrates the appeal of ransomware-as-a-service, as it lowers the barrier of entry for less technically sophisticated actors to get into the ransomware space,” Hassold wrote.

Fortunately, in this case, the researchers were able to make the hacker reveal his identity as well. He told Absolute Security that he was located in Nigeria and wished to become “the next Mark Zuckerberg” by building an African social networking platform.

Commenting on the new phenomenon of Nigerian hackers approaching corporate workers to deploy ransomware in exchange for a share of the spoils, Roger Grimes, a data-driven defense evangelist at KnowBe4, said: “This is not the first instance I have heard about employees, disgruntled or not, being paid to place ransomware into their companies. The most famous one was the $1M promised to a Tesla employee. A Russian ransomware spreader was arrested in that case.

“The big question to ask is, how prevalent is it? Is it just a few here and there or is it more widespread than believed? I do not know the answer, but there have to be some takers. That is why it is always important that ransomware victims try their best to track down how the ransomware got into their environment. It is an important step. If you do not figure out how hackers, malware, and ransomware are getting in, you are not going to stop them or their repeated attempts.

“Fortunately, we know the most common root cause, and it is not disgruntled employees. It is social engineering employees into running trojan horse programs or into providing their login credentials, followed by unpatched software. These two root causes account for likely 90% percent of all hacker and malware exploitations.

“You can defeat most social engineering that gets by your technical defenses by using security awareness training and MFA. You can worry about disgruntled employees, but while you are doing that, your loyal employee is getting socially engineered. That is your real problem,” Grimes added.

Also Read: Russian hacker targeted Tesla Gigafactory by bribing employee

Copyright Lyonsdown Limited 2021

Top Articles

Is your security in need of an update this Cybersecurity Awareness month?

Cyber security experts tell teiss about the evolving threat landscape and how organisations can bolster their cyber security defenses

A new case for end-to-end encryption

How a hacker group got hold of calling records and text messages deploying highly sophisticated tools that show signs of originating in China

Telcos in Europe put muscle behind firewalls as SMS grows

Messaging is set to be one of the biggest traffic sources for telcos worldwide prompting them to protect loss of revenue to Grey Route practices 

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]