A ransomware hacker has taken an unlikely approach to infect victims ‘computer systems – by asking their victims’ staff for help.
In one of its latest blog reports, cybersecurity firm Abnormal Security found that it recently identified and blocked a number of suspicious emails sent to its customers. The emails allegedly came from someone with ties to the DemonWare ransomware group.
In the emails, the threat actor sender tells email recipients that they would receive either $ 1 million in Bitcoin or 40% of the roughly $ 2.5 million ransom after which the Hacker seeks to complain about if they can help deploy ransomware on a company computer or server.
Abnormal Security found that the malicious sender even included two methods for email recipients to contact the hacker if they were interested; an Outlook email account and a Telegram username. The security firm also mentioned that ransomware is usually delivered through system vulnerabilities through email attachments or direct network access. It is unusual for an actor to use “basic social engineering techniques” to convince an employee to be complicit in an attack.
To better understand how such a cyber attack would work, Abnormal Security created a fictional person and turned to the hacker. Through conversations and “planning” an attack, the firm learned the following:
- The threat actor was fairly flexible about the amount of money he was willing to accept for the ransom, depending on the size of the victim company.
- The threat actor repeatedly tried to allay any concerns the hypothetical co-conspirator might have about the cybercrime, claiming that the ransomware would encrypt everything on the system, including any CCTV systems the company might have on its servers to guard.
- However, the threat actor assumes that their potential accomplice has physical access to a server. Abnormal Security also highlighted that if the hacker believes employees will not be caught tampering with the servers, the hacker may not be familiar with digital forensics or incident response investigations.
- The threat actor claimed to have programmed the malware in Python, but DemonWare is readily available on GitHub for “script kiddies“.
- The threat actor gathers targeting information from LinkedIn and receives the contact information of the employees so they know who to contact. The hacker also said that he originally planned to send phishing emails to senior executives, but when that didn’t work, they reached out to social engineering.
- The threat actor is Nigerian based on information found on Nigerian currency trading website.
“Knowing that the actor is Nigerian, the whole story comes full circle and provides remarkable context to the tactics used in the first email we identified,” Abnormal Security said on his blog -Report. “For decades, West African fraudsters, mainly based in Nigeria, have been perfecting the use of social engineering in cybercrime.”