Wanted: Disgruntled Employees
Usually, ransomware is delivered via malicious email attachments. Another way is to penetrate unsecured VPN accounts or make use of software vulnerabilities to gain access to a company’s network. Abnormal Security, however, came across a bold and relatively novel social engineering campaign. Instead of tricking employees into clicking on a malicious link, a Nigerian hacker decided to rely on disgruntled employees to do the dirty work for him. “In this latest campaign, the sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom”, explains Crane Hassold in a blog post. “The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested—an Outlook email account and a Telegram username.” The “insider threat” is a real worry within companies. Research shows employees cause about 60% of security incidents. Not that these employees are necessarily malicious in intent. Actually, most insider threats are accidental, caused by negligent and careless behavior.
Chatty Hacker…
Next, the security researchers decided to engage with the hacker. They created a fake persona and contacted him via Telegram, a cross-platform messaging app like Signal. It didn’t take long to get a response. “A half hour later, the actor reiterated what was included in the initial email, followed by a question about whether we’d be able to access our fake company’s Windows server.” Abnormal Security’s answer? “Of course we could.” Not long after, the threat actor sent his new middleman two links containing an executable file, named Walletconnect (1).exe. He gave his accomplice the choice between WeTransfer and Mega.nz to download the file. The security researchers later determined that it was indeed ransomware. In the 5 days that followed, the two parties engaged in a chatty Telegram conversation and negotiated the ransom amount. “While the initial email insinuated the ransom would be $2.5 million, the actor quickly lowered expectations by indicating he hoped he could charge our fake company just $250,000.” Later, the hacker lowered the number even further, to $120,000.
… Reveals His Identity
Based on the hacker’s responses, it quickly became clear that he had limited experience with digital forensics and assumed the employee would have easy access to the server. The security researcher also asked the hacker if he created the ransomware himself. The hacker answered that he programmed the malware in Python. This turned out to be untrue, as the code was simply a copy of DemonWare, a type of ransomware that’s available on GitHub. “This demonstrates the appeal of ransomware-as-a-service, as it lowers the barrier of entry for less technically-sophisticated actors to get into the ransomware space.” Of course, Abnormal Security was curious to find out the hackers’ identity. Eventually, they sweet-talked him into revealing more about himself. “He confirmed that he was located in Nigeria and was trying to build an African social networking platform, joking he was the next Mark Zuckerberg. He also provided a link to his LinkedIn profile containing his full name.”
Hacker Finds Targets Through Social Networks
Apparently, LinkedIn is also this hacker’s primary source of information when looking for potential targets. Just like marketers, hackers routinely trawl through social networks, like LinkedIn, Facebook and Twitter. Based on people’s job titles, roles and the company they work for, hackers try to identify high-potential targets. For example, to launch phishing campaigns or initiate BEC scams. As expected, the threat actor later had second thoughts about sharing his identity. He deleted all the revealing messages from the conversation. Anticipating this would happen, however, Abnormal Security had saved screenshots and reached out to the hacker via LinkedIn. “Knowing the actor is Nigerian really brings the entire story full circle and provides some notable context to the tactics used in the initial email we identified. For decades, West African scammers, primarily located in Nigeria, have perfected the use of social engineering in cybercrime activity. Because we were able to engage with him, we were better able to understand his motivations.”