Security researchers are reporting emails soliciting company insiders to install the Demon (Black Kingdom) ransomware on their organizations’ networks.
Nigerian Threat Actor Behind the Campaign
According to a report by Abnormal Security, a Nigerian threat actor is trying to recruit an organization’s employees to deploy the Black Kingdom ransomware for a cut of the ransom profits.
“On August 12, 2021, we identified and blocked a number of emails sent to Abnormal Security customers soliciting them to become accomplices in an insider threat scheme. The goal was for them to infect their companies’ networks with ransomware. These emails allege to come from someone with ties to the DemonWare ransomware group,” the researchers said in a recent report.
The Demon ransomware, also known as DemonWare and Black Kingdom ransomware has been around for several years, the researchers added. Earlier this year, the ransomware was deployed in attacks involving CVE-2021-27065, one of the four zero-days in Microsoft Exchange Server announced in March.
In the ransomware’s latest campaign, the threat actor is encouraging the employee to deploy the threat on a company computer or Windows server. In exchange for that, the employee would receive $1 million in Bitcoin, or 40% of the $2.5 million ransom.
“The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested—an Outlook email account and a Telegram username,” Abnormal Security discovered.
Researchers from Abnormal Security did just that to find out more about the threat actor and the campaign. They sent a message back indicating that they had viewed the email and asked what they needed to do to help, they reported.
“A half hour later, the actor responded and reiterated what was included in the initial email, followed by a question about whether we’d be able to access our fake company’s Windows server,” researchers wrote. “Of course, our fictitious persona would have access to the server, so we responded that we could and asked how the actor would send the ransomware to us.”
Researchers continued to communicate over five days with the threat actors as if they were willing to be a part of the scam. “Because we were able to engage with him, we were better able to understand his motivations and tactics,” they wrote in the report.
To test the ransomware operators, the researchers created a fictious person that got in touch with the criminals. The threat actor sent the researchers two links for an executable file via file-sharing sites WeTransfer and Mega.nz. An analysis confirmed that the file was indeed ransomware.
“Throughout the conversation, the actor repeatedly tried to alleviate any hesitations we may have had by ensuring us that we wouldn’t get caught, since the ransomware would encrypt everything on the system. According to the actor, this would include any CCTV (closed-circuit television) files that may be stored on the server,” the report revealed.
“Threat intelligence like this helps us better understand the bigger picture with additional context—something we’re unable to do by only examining traditional indicators of compromise and raw data,” the team concluded.