Most ransomware attacks begin with a compromised employee email account, something that in turn happens through some combination of phishing and social engineering. An enterprising ransomware gang in Nigeria appears to be skipping this messy step, simply making a direct pitch to employees of target companies to join in on the attack for a cut of the profits.
The group has offered employees $1 million in bitcoin as part of a proposed $2.5 million ransom, asking them to install the DemonWare ransomware on the organization’s Windows computers or servers using their privileged credentials. Employees appear to be solicited via their LinkedIn profiles, and are not sent the full pitch unless they reply to an initial message indicating interest.
Ransomware group attempts to recruit insiders
DemonWare ransomware affiliates appear to be a particularly opportunistic and creative bunch; they were last seen among the leading groups attempting to exploit the Microsoft Exchange Server vulnerability that plagued small businesses earlier in the year. Researchers with security firm Abnormal Security believe the threat actors are in Nigeria based on emails turned over to them and a follow-up conversation in which they catfished one of the attackers.
The unusual social engineering campaign begins with an unsolicited email to an employee that spells out the scheme plainly in a short message: it offers 40% of the proposed ransom amount ($1 million) if the employee is willing to install the DemonWare ransomware either “physically or remotely.” Interested parties are given an Outlook email address or a Telegram username to respond to.
Those that reply soon get a follow-up message from the attacker attempting to verify that they have access to some sort of Windows server at the organization. The attacker then links to a hosted file on a file sharing site (such as Mega) that contains the ransomware to be installed.
While the attackers appear to speak at least competent English, they do not appear to be well-versed in the fine points of social engineering. The Abnormal researcher found that the attacker began questioning about the company’s annual revenue, and adjusted the amount of ransom they intended to ask for based on the responses. For example, the attacker responded that they would ask for $120,000 in response to a fictional company turnover of $50 million; far below the $1 million reward promised in the original email. The attackers also lie about being the developers of the DemonWare ransomware (the code is publically available on GitHub).
The conversation also revealed that the attackers are trawling LinkedIn’s social networks to look for contacts, focusing on senior executives. This particular attacker confessed that they initially wanted to hack companies by using phishing as an in, but found automated security defenses too tough to penetrate and switched to this forthright approach as an alternative.
The Abnormal researchers believe the attacker is based in Nigeria due to finding an account on a trading site linked to them that deals in that country’s national currency (Naira). The attacker also confessed to being in Nigeria during the catfishing conversation, claiming that he needs the funds to realize his vision of building a social media platform to rival Facebook.
Social engineering meets ransomware
The security researchers observe that this is a natural development, as Nigeria has been a hotbed of online scams that involve social engineering for some time. It is not particularly notorious for fielding skilled hackers, but being skilled is no longer strictly necessary given the emergence of ransomware-as-a-service groups. Nigerian scammers are also bold and creative, making news for stealing billions in COVID-19 relief fund benefits in the United States since 2020.
While this incident may not prove out to be an effective tactic for ransomware operators, it does provide indirect evidence for the effectiveness of automated cyber defense systems that scan emails for phishing attempts and malware. The Abnormal researchers say that they would not have discovered the scam had their own product not picked up a batch of these incoming emails, and the scammer they catfished indicated that the attempt was born from previous failures at more traditional forms of hacking and social engineering.
But the incident also illustrates the limits of automated detection systems, and the potential for insider attacks to grow as an avenue of cyber crime as defenses improve against the current leading methods. LinkedIn offers robust protection against malware being passed in emails and messages sent through its platform, but has no real means of detecting social engineering attempts or outright direct pitches to employees to engage in criminal behavior. Direct or indirect insider attacks may become more prevalent as more employees work from home, with clever attackers potentially tricking targets into uploading malware or perhaps using leverage over them gleaned from data breaches as blackmail.
Niamh Muldoon, Global Data Protection Officer at OneLogin, feels that high value targets should anticipate an immediate uptick in creative social engineering attempts of this nature: “Personal assessments of high value and/or high profile individuals need to focus on keeping their clients security aware, implement clear processes on how to deal and report phishing and implement technical controls to reduce associated risks materializing … It is important that organizations and individuals know what they have, know where it is, know what it’s worth and determine how to protect it. Think of it from a security perspective first. By this we mean protecting unauthorized access to accounts and your data. Next, think of it from a privacy perspective: what data do we want to share and for what purpose?”