It has been discovered that threat actors are trying to turn disgruntled employees against their own business, by asking them to deploy ransomware and offer a cut of the ransom profits.
Researchers at a security firm were themselves targeted in the scam, before they identified and blocked a number of emails sent, that offered people the equivalent of hundreds of thousands of pounds to install DemonWare ransomware. The would-be attackers have ties to the DemonWare ransomware group, also known as Black Kingdom or DEMON. The employee is told they can launch the ransomware physically or remotely.
DemonWare has been around for a few years. The group was last seen alongside numerous other threat actors launching a barrage of attacks targeting Microsoft Exchange’s ProxyLogon set of vulnerabilities, CVE-2021-27065, which were discovered in March. The campaign begins with an initial email soliciting help from an employee to install ransomware while dangling the offer of payment if the person follows through. It also gives the recipient—who attackers later said they found via LinkedIn—a way to contact the sender of the email.
Researchers contacted the cyber criminals to find out more about the campaign. They sent a message back indicating that they had viewed the email and asked what they needed to do to help. Minutes later, the criminal responded and reiterated what was included in the initial email, and asked if they would be able to access our fake company’s Windows server.
Researchers continued to communicate over five days with the threat actors as if they were willing to be a part of the scam. Upon being contacted, the threat actor sent researchers two links for an executable file that could be downloaded on the file-sharing sites WeTransfer or Mega.nz. The file was named “Walletconnect (1).exe” and based on an analysis of the file, researchers were able to confirm that it was, in fact, ransomware.
The cyber criminals showed flexibility in how much ransom they were willing to receive, too. The original amount was £1.8 million in bitcoin, the threat actor quickly lowered that sum to £180,000 and then to £120,000 when researchers said that the fake company for which they worked had an annual revenue of around £40 million.
The actor repeatedly tried to alleviate any hesitations by ensuring that the researchers wouldn’t get caught, since the ransomware would encrypt everything on the system – including any CCTV (closed-circuit television) files that may be stored on the server.
The example provided a great look at how threat actors have perfected the use of social engineering in cyber crime activity. The campaign also sheds light on how attackers leverage the idea of a disgruntled insider to try to get them to do their dirty work for them—a concept that also isn’t new, but provides information about yet another method in which ransomware can find its way onto a business’ network.