A Nigerian hacker recently tried to use disgruntled employees of an organisation to run a cyberattack scheme.

According to cybersecurity firm Abnormal Security, on August 12, they intercepted a number of emails sent earlier in the month to some of their customers offering. The emails came with a $1 million offer, in bitcoin, to assist in a ransomware scheme. 

The would-be attackers said they have ties to the DemonWare ransomware group, also known as the Black Kingdom or DEMON. This group has been around for a few years. In March, the ransomware was in the news for trying to exploit a significant Microsoft Exchange vulnerability. 

Initial email sent by the hacker | Image Credit: Abnormal Security

“In this latest campaign, the sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin or 40% of the presumed $2.5 million ransom,” Abnormal Security said.

How Ransomware works

Ransomware is a form of malicious software (malware) that encrypts a victim’s files. It converts the information in the files into a secret code that hides the information’s true meaning.

Historically, ransomware has been delivered via email attachments or, more recently, using direct network access obtained through things like unsecure VPN accounts or software vulnerabilities.

Once the malware has been deployed, the victim loses access to their files and then the attacker demands a ransom from the victim to restore access to the data upon payment. 

Victims of ransomware attacks are shown instructions for how to pay a fee to get the decryption key. The ransom in question can range from a few hundred dollars to millions, often paid to cybercriminals in Bitcoin.  

The initial response from hacker reiterating offer on Telegram | Image Credit: Abnormal Security

Over the course of five days, the team at Abnormal Security engaged with the hacker via Telegram pretending to be an employee that was willing to cooperate.

The hacker shared the file containing the malware and even reduced the ransome price upon hearing that the fake company’s annual revenue was $50 million.

Hacker providing link to ransomware file | Image Credit: Abnormal Security

How did the hacker get the contact details of the people he contacted? He mentioned that he got their emails from LinkedIn. This, in addition to other commercial services that sell access to similar data, is a common medium scammers use to gather employees’ personal data and information. He also stated that he had planned to target only senior level executives but when that plan failed, he pivoted to a ransomware scheme.

Hacker stating how he got the information| Image Credit: Abnormal Security

Later in the conversation, he revealed that he was a Nigerian building a social networking platform. 

Abnormal security also ran an independent check that confirmed he was a Nigerian.

Hacker confirming he’s a Nigeria| Image Credit: Abnormal Security
Information found on a Russian social media platform website connecting the hacker to Nigeria.
| Image Credit: Abnormal Security

Due to the pandemic and lockdown restrictions in the past year, the digital world has experienced a rise in cyber attacks. A number of these attacks are made possible via social engineering which relies on the oversight or negligence of people

This story is coming at a time when the Nigerian government has allocated ₦1.93 billion ($4.6 million) for a solution that will monitor and intercept WhatsApp messages. The solution is reportedly aimed at protecting Nigerians from cybercrime and terrorism perpetrated through such messaging platforms.

However, media stakeholders and activists consider it as another attempt to restrict civil liberties.

Daniel Adeyemi | Author

Get the best African tech newsletters in your inbox