Ransomware Attacker Offers Employees a Cut if They Install DemonWare on Their Organization's Systems

Researchers went undercover and posed as willing "insider threats" to expose and study an unusual hybrid BEC-style social engineering-ransomware scheme.

screenshots of Demonware ransom notes.
Source: Abnormal Security

Researchers masqueraded as a rogue employee to engage with a ransomware operator soliciting insiders to plant ransomware on their own organization's servers in exchange for a portion of the ransom money. Their ploy gave them a front-row seat in a rare ransomware threat — one that comes with a bold social engineering twist.

Crane Hassold, director of threat intelligence for email security firm Abnormal Security, since Aug. 12 has been interacting with the would-be attacker, who he believes is a Nigerian-based business email compromise (BEC) scammer based on the intelligence he has gathered and gleaned from their online interactions.

"It's an interesting and novel tactic," says Hassold of the attack.

The scam is somewhat reminiscent of a more targeted ransomware attempt on Tesla last year, when cybercriminals tried to bribe an employee at the carmaker's Gigafactory in Nevada to the tune of $1 million to help infect the company's network with ransomware. The employee instead worked with the FBI to help get the cybercriminal, a Russian national, arrested.

Meanwhile, Hassold has been communicating via Telegram with this new extortionist attacker, posing as a willing but nervous employee interested in getting a cut of a potential ransom payment. "I don't know how successful it will be at the end of the day, but they are not looking at a high success rate. ... They want to make enough money to make the ROI."

The attacker apparently initially attempted to dupe his victims using the usual BEC method of gathering contact information on LinkedIn and sending phishing emails to senior-level executives in hopes of stealing credentials and getting account access. Hassold says when the credential-phishing failed, the attacker pivoted to a ransomware attack deal-making scheme offered via an email message.

"It's really interesting to me that while we think of ransomware as a technically sophisticated attack, when we think of Nigerian scammers we think of social engineering. Now we have a hybrid attack, using the same social engineering tactics he's probably using on a daily basis on BEC, credential, and romance scams and tossing it in with ransomware."

The attack goes like this: The employee receives an email offering $1 million in Bitcoin, or 40% of a $2.5 million ransom bounty, if he or she installs DemonWare ransomware — either physically or remotely — on their company's Windows server or other computer. If the employee wants to take them up on it, he or she contacts the attacker via their Outlook email address or Telegram account provided in the initial email.

Given that most ransomware attacks begin with a rigged email attachment or via a compromised VPN account or software vulnerability, recruiting an insider to go rogue was an unusual tactic, according to Hassold, especially since it was not a targeted attack.

DemonWare ransomware, aka Black Kingdom, is available on GitHub for download, but the attacker told Hassold he had written the ransomware himself using Python. It's been most famously used to exploit the ProxyLogon (CVE-2021-27065) vulnerability in Microsoft Exchange earlier this year. 

Abnormal decided to engage with the attacker after spotting and blocking several of his email attempts to co-opt accomplices to infect their employers' systems with the ransomware. Hassold says the would-be targets spanned companies of all sizes and from different industry sectors, demonstrating the wide net the attacker had cast in hopes of cashing in.

He sent Hassold and his team links to an executable file called Walletconnect (1).exe, and they confirmed it was ransomware. The attacker also sent Hassold a screenshot of his ransomware control panel, and it appeared to bolster his claim that he had successfully recruited three victims who had installed the ransomware in their organizations.

The kicker, though, is that if an employee were to go rogue and install the ransomware on the company server, their role in the attack likely would be exposed at some point during the incident response. Hassold says the attacker reassured him that "all files" would be encrypted, and not to worry because even if the victim pays up and the files are decrypted, they won't know it was his doing. "He told me once I've installed the ransomware then just put [the .exe file] in the recycle bin and [delete it] and it will be fine."

That naive comment demonstrates how little the attacker knows about digital forensics and incident response, Hassold says.

Hassold and his team were able to gather some personal details on the would-be attacker, including his location in Nigeria. "He sent me his LinkedIn profile, which of course could be fake, but some information matches what we found in our open source analysis" of him, Hassold says.

Ransomware Helps BEC Evolve
The researchers shared their findings with US law enforcement, including the attacker's name and LinkedIn profile. But it's unlikely to result in an any legal action anytime soon because officials need an actual victim's case to pursue a full investigation. "It's a chicken-and-egg situation with law enforcement" at times, Hassold says.

"I think based on this campaign it's interesting to note that ransomware has really gotten to the point that you have actors usually in other spaces at least trying to use fear-mongering of ransomware to make themselves money," he says.

Even so, ransomware is still nowhere near as lucrative as BEC attacks, he says. "The BEC-type attack causes the most financial impact" to date, he notes. And the Nigeria-based BEC groups are constantly evolving, he says, and running multiple scams simultaneously.  

"It doesn't surprise me at all to see these actors at a minimum testing out a tactic like this to see if it will be successful," Hassold says.

According to the "2021 Verizon Data Breach Investigations Report," BEC was second only to phishing as the most common type of social engineering attack. Of the nearly 60% of BEC attacks that stole money, the median loss to victims was $30,000. Some 95% of BECs cost victims between $250 and $984,855..

BEC attacks cost US organizations some $1.77 billion overall in 2019, according to the FBI. 

"A well-credentialed insider threat is the soft underbelly of an organization," notes Cameron Camp, a security researcher with ESET. "A high-value target that can plant malicious payloads deep in the mothership is probably worth whatever the bad actors have to pay."

While rogue insiders are much less common than a pure BEC attack attempt, this scheme underscores how many cyberattacks don't entail malicious payloads coming in via email. It's more about social engineering attacks, he says, adding that this is a great example of a less technically sophisticated attack that relies mainly on social engineering.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights