Nigerian threat actor offered the insider to pay $1 million in bitcoin
A Nigerian threat actor was found trying to recruit employees by offering them to pay $1 million in bitcoins to deploy Black Kingdom ransomware on companies’ networks.
When multiple messages were sent to inboxes protected by cloud email security platform Abnormal Security, the researchers noticed it due to the sender’s offer for the recipient: a $1 million payout for deploying ransomware on the network.
According to researchers at Abnormal Security, the sender tells the employee that if they are able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom.
The employee is told they can launch the ransomware physically or remotely. The sender also provided two methods to contact them if the employee is interested—an Outlook email account and a Telegram username.
Black Kingdom, also known as DemonWare and DEMON is an open-source ransomware project available on GitHub.
The researchers who detected and blocked the phishing emails on August 12, responded to the solicitation attempt by posing as an employee and reached out to the actor on Telegram messenger. The threat actor unknowingly revealed the attack’s modus operandi, which included two links for an executable ransomware payload that the “employee” could download from WeTransfer or Mega.nz.
Crane Hassold, director of threat intelligence at Abnormal Security said that the attacker instructed them to dispose of the .EXE file and delete it from the recycle bin.
Based on the actor’s responses, it is clear that he expects an employee to have physical access to a server, and also he is not familiar with digital forensics or incident response investigations.
The plan is believed to have been put up by the chief executive of a Lagos-based social networking startup called Sociogram, with the goal of using the siphoned funds to “build my own company.” They disclosed more personal details by saying they owned the startup and that they were located in Nigeria and even shared their LinkedIn profile.
It is worth mentioning about the method of using LinkedIn to collect corporate email addresses of senior-level executives.
It is not surprising to see attackers adopt new tactics to try phishing scams. As long as organizations need employees, there will always be some insider risk. The promise of getting a share of the ransom might seem attractive, but there is no guarantee that this kind of complicity will actually be rewarded.