Insider Threats + Ransomware = Trouble

9465793865?profile=RESIZE_400xA new twist on an old con; remember all the Nigerian Princes who wanted to share their fortune with you, if only you would only send them your bank account number?  Nigerian threat actor has been observed attempting to recruit employees by offering them to pay $1 million in bitcoins to deploy Black Kingdom ransomware on companies' networks as part of an insider threat scheme.

"The sender tells the employee that if they're able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom," Abnormal Security said in a report published Thursday. "The employee is told they can launch the ransomware physically or remotely.  The sender provided two methods to contact them if the employee is interested in an Outlook email account and a Telegram username."

Black Kingdom, also known as DemonWare and DEMON, attracted attention in March 2021when threat actors were found exploiting ProxyLogon flaws impacting Microsoft Exchange Servers to infect unpatched systems with the ransomware strain.  ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin.  Discovered by a malware researcher, DemonWare is malicious software classified as ransomware.  Typically, ransomware encrypts data and demands payment for decryption.  During the encryption process, DemonWare appends all affected files with the ".DEMON " extension.[1]

Abnormal Security, which detected and blocked the phishing emails on 12 August 2021, responded to the solicitation attempt by creating a fictitious persona and reached out to the actor on Telegram messenger, only to have the individual inadvertently spill the attack's modus operandi.  This included two links for an executable ransomware payload that the "employee" could download from WeTransfer or  "The actor also instructed us to dispose of the .EXE file and delete it from the recycle bin.  Based on the actor's responses, it seems clear that he 1.) expects an employee to have physical access to a server, and 2.) he's not very familiar with digital forensics or incident response investigations," said the director of threat intelligence at Abnormal Security.

Besides taking a flexible approach to their ransom demands, the plan is believed to have been concocted by the chief executive of a Lagos-based social networking startup called Sociogram, with the goal of using the siphoned funds to, "build my own company." In one of the conversations that took place over the course of five days, the individual even took to calling himself, "the next Mark Zuckerberg."

Also of note is the method of using LinkedIn to collect corporate email addresses of senior-level executives, once again highlighting how business email compromise (BEC) attacks originating from Nigeria continue to evolve and expose businesses to sophisticated attacks like ransomware.

"There's always been a blurry line between cyberattacks and social engineering, and this is an example of how the two are intertwined. As people become better at recognizing and avoiding phishing, it should be no surprise to see attackers adopt new tactics to accomplish their goals," the vice president of product management and strategy at Tripwire, said.  "The idea of a disgruntled insider as a cybersecurity threat isn't new.  As long as organizations require employees, there will always be some insider risk. The promise of getting a share of the ransom might seem attractive, but there's almost zero guarantee that this kind of complicity will actually be rewarded, and it's highly likely that someone taking this attacker up on their offer would get caught," he added.

Would anyone actually believe that a Nigerian hacker would really send you a commission for aiding and abetting his crime?

At Red Sky Alliance, we can help cyber threat teams with services beginning with cyber threat notification services, and analysis.  Ransomware is truly a serious concern worldwide.  Our analysts are currently monitoring and collecting on 65+ dark web forums, 20 ransomware forums, 49 forums and marketplaces: of which 25 are forums [info only] and 24 are marketplaces [stolen data].  We can help identify personal and company information being sold in the Dark Web and help protect all levels of a company to avoid any network disruptions.  Our analysts are currently monitoring for these type TTP’s in the underground.   

Red Sky Alliance is   a   Cyber   Threat   Analysis   and   Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings




E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!