The term ransomware is used to describe any type of malware (malicious software) that encrypts or locks data on a device and demands a ransom payment to decrypt it.
Ransomware attacks have evolved over the years, with cybercriminals using increasingly sophisticated techniques to target organizations and individuals.
This summer, cybersecurity researchers spotted a hacker trying to bribe employees to deploy ransomware on their company's computers.
Bribing Employees: What Happened?
In August, Abnormal Security noticed that employees received emails soliciting them to become accomplices in a ransomware attack. The threat actor emailed the employees telling them they would be paid 40 percent of the $2.5 million ransom to deploy ransomware on their company's computers, either physically or remotely, and left contact information.
Cybercriminals usually deploy ransomware through email attachments, or through Virtual Private Network (VPN) setups. Naturally, Abnormal Security researchers were curious about this particular threat actor's methods, so they decided to pose as an employee willing to participate in the scheme and reached out to the scammers.
The Threat Actor Responds
The threat actor responded quickly, in less than an hour, asking the supposed employee whether they would be able to access their company's Windows server. The researchers responded affirmatively, prompting the cybercriminal to send links to file transfer sites, WeTransfer and Mega.
The researchers downloaded the file he sent, “Walletconnect (1).exe," and confirmed that it was indeed ransomware, the DemonWare variant. Just to be clear: we don't advise anyone download anything suspicious sent to you by a stranger.
Still posing as an employee, the researchers told the threat actor that their company had an annual revenue of $50 million. The threat actor then lowered the ransom amount from $2.5 million to $120,000.
The threat actor repeatedly tried to convince the supposed employee that that the ransomware would encrypt everything on the system without leaving any traces, showing that he is either reckless or simply not too familiar with digital forensics.
The cybercriminal also claimed that he programmed the ransomware using the python programming language, which was a lie: all of the code for DemonWare is freely available online.
DemonWare is not as dangerous as, for example, Ryuk ransomware, but the fact that pretty much anyone can easily find the code online and try to deploy the malware suggests that it is a threat that should be taken seriously.
How Did the Cybercriminal Get Contact Information?
So how did the threat actor go about getting the target's information?
The threat actor, by his own admission, sent senior-level executives at the company phishing emails in an attempt to compromise their accounts.
When this failed, he obtained contact information for employees from LinkedIn, and then sent out emails offering a share of the profits for deploying ransomware.
Who Is the Cybercriminal?
The threat actor was careless enough to share information about himself with Abnormal Security researchers, including his full name and location.
Apparently based out of Nigeria, he jokingly described himself as "the next Mark Zuckerberg," revealing that he's trying to build an African social networking platform.
He also claimed to have ties to the DemonWare ransomware group, which is also known as Black Kingdom and DEMON.
Clearly, this person is not exactly a criminal mastermind, but his attempt to turn employees into insider threats was notable and suggests that this could be an emerging trend.
Protection Against Attacks
It's easy to see how a more competent cybercriminal could cause major damage to an organization by social engineering their way into internal systems.
It is imperative that employers educate workers about hackers, but sometimes that's not enough. Apart from investing in security, employers concerned about insider threats should consider looking into employee monitoring software.
As long as it's non-invasive and safe, monitoring software can be a great way to ensure a company has an additional layer of protection from cyberattacks, especially today when millions of people around the world work from home.