A Nigerian threat actor has been observed attempting to recruit employees by offering to pay them $ 1 million in bitcoin to deploy Black Kingdom ransomware on company networks as part of an insider threat scheme.
“The sender tells the employee that if they are able to deploy ransomware on a company computer or Windows server, then they would be paid $ 1 million in bitcoin, or 40% of the presumed US $ 2 ransom, 5 million, “abnormal Security said in a report released Thursday. “The employee is told that he can initiate the ransomware physically or remotely. The sender provided two methods to contact him if the employee is interested: an Outlook email account and a Telegram username.”
Black Kingdom, also known as DemonWare and DEMON, attracted attention in early March when it was discovered that threat actors were exploiting ProxyLogon flaws affecting Microsoft Exchange servers to infect unpatched systems with the ransomware strain.
Abnormal Security, which detected and blocked the phishing emails on August 12, responded to the attempted request by creating a fictitious persona and approached the actor on Telegram Messenger, only for the individual to inadvertently spill the modus operandi of the attack, which included two links. for an executable ransomware payload that the “employee” could download from WeTransfer or Mega.nz.
“The actor also instructed us to delete the .EXE file and remove it from the recycle bin. Based on the actor’s responses, it seems clear that 1) he expects an employee to have physical access to a server and 2) not very familiar with it. digital forensics or incident response investigations, “said Crane Hassold, director of threat intelligence for Abnormal Security.
Author: Ravie Lakshmanan.