A threat actor has been observed recruiting individuals for the deployment of Black Kingdom ransomware, offering them to pay $1 million in Bitcoin.
Black Kingdom (aka DemonWare and DEMON) is a ransomware family that came to light when it was used to exploit the ProxyLogon flaw in Microsoft Exchange Servers back in March.
“The sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin or 40% of the presumed $2.5 million ransom,” Abnormal Security said in a report published Thursday.
The sender provided two methods of contact, an Outlook email account and a Telegram username, and told the insider they can launch the ransomware physically or remotely.
After detecting and blocking the phishing emails on August 12, Abnormal Security reached out to the actor who sent the messages using a fake persona. The latter then revealed the details of the attack, which included links to download a ransomware payload.
“The actor also instructed us to dispose of the .EXE file and delete it from the recycle bin. Based on the actor’s responses, it seems clear that he 1) expects an employee to have physical access to a server, and 2) he’s not very familiar with digital forensics or incident response investigations,” said Crane Hassold, director of threat intelligence at Abnormal Security.
In a private chat with undercover researchers, the threat actor has revealed his identity. He turned out to be the chief executive of a Lagos-based social networking startup, Sociogram.
The actor also revealed a method of how LinkedIn can be used to collect email addresses of senior executives, which can expose businesses to more sophisticated email attacks.
“There’s always been a blurry line between cyberattacks and social engineering, and this is an example of how the two are intertwined. As people become better at recognizing and avoiding phishing, it should be no surprise to see attackers adopt new tactics to accomplish their goals,” Tim Erlin, vice president of product management and strategy at Tripwire, said.
Erlin explained that the idea of using a disgruntled insider as a threat vector is not new. However, he noted that most likely, an attacker would not be caught if they offered to pay a portion of the ransom. He added that “it’s highly likely that someone taking this attacker up on their offer would get caught.”