Nigerian Ransomware Actor Uses Social Engineering to Bribe Company Employees
Security researchers working with Abnormal Security have intercepted an intriguing batch of emails directed at employees of a company who is a customer of Abnormal. The emails in question attempt to bribe and persuade insiders to install ransomware on their own company's network against the promise of a juicy payment.
The emails are originating from an actor that seems to be connected with the Nigerian-based DemonWare or Black Kingdom ransomware actor. The emails coming from the bad actors were intercepted by Abnormal Security. The hackers have resorted to a relatively new social engineering approach.
They now offer company insiders a million US dollars, allegedly to be paid out in crypto currency, if the insider infects a computer or server belonging to their own employer. The $1 million is presented as 40% of a would-be $2.5 million ransom payment that the hackers claim they would demand.
Researchers from Abnormal Security did contact the bad actors, pretending to play along. As expected, the supposedly Nigerian-based hackers responded and sent links to the ransomware payload, packaged in a file called Walletconnect (1) dot exe.
Curiously, when researchers told the hacker that the company they worked for was small and wasn't making as much money as expected, the ransom demand was also quickly scaled down from the initial $2.5 million to a much more modest $120 thousand.
This is not the first instance of ransomware threat actors attempting to use social engineering tricks and bribing company employees into infecting their own company networks. We recently covered a case where hackers operating the LockBit 2.0 ransomware also attempted to contact and bribe employees into becoming "affiliates" and partnering up with the cybercriminals, against the promise of a fat payout once the hack is executed.
Social engineering is one of the favorite tools of bad actors and has been used with great success in the past, primarily in malspam campaigns.