A Nigerian hacker recently tried to use disgruntled employees of an organisation to run a cyberattack scheme.
According to cybersecurity firm Abnormal Security, on August 12, they intercepted a number of emails sent earlier in the month to some of their customers offering. The emails came with a $1 million offer, in bitcoin, to assist in a ransomware scheme.
The would-be attackers said they have ties to the DemonWare ransomware group, also known as the Black Kingdom or DEMON. This group has been around for a few years. In March, the ransomware was in the news for trying to exploit a significant Microsoft Exchange vulnerability.
“In this latest campaign, the sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin or 40% of the presumed $2.5 million ransom,” Abnormal Security said.
How Ransomware works
Ransomware is a form of malicious software (malware) that encrypts a victim’s files. It converts the information in the files into a secret code that hides the information’s true meaning.
Historically, ransomware has been delivered via email attachments or, more recently, using direct network access obtained through things like unsecure VPN accounts or software vulnerabilities.
Once the malware has been deployed, the victim loses access to their files and then the attacker demands a ransom from the victim to restore access to the data upon payment.
Victims of ransomware attacks are shown instructions for how to pay a fee to get the decryption key. The ransom in question can range from a few hundred dollars to millions, often paid to cybercriminals in Bitcoin.
Over the course of five days, the team at Abnormal Security engaged with the hacker via Telegram pretending to be an employee that was willing to cooperate.
The hacker shared the file containing the malware and even reduced the ransome price upon hearing that the fake company’s annual revenue was $50 million.
How did the hacker get the contact details of the people he contacted? He mentioned that he got their emails from LinkedIn. This, in addition to other commercial services that sell access to similar data, is a common medium scammers use to gather employees’ personal data and information. He also stated that he had planned to target only senior level executives but when that plan failed, he pivoted to a ransomware scheme.
Later in the conversation, he revealed that he was a Nigerian building a social networking platform.
Abnormal security also ran an independent check that confirmed he was a Nigerian.
Due to the pandemic and lockdown restrictions in the past year, the digital world has experienced a rise in cyber attacks. A number of these attacks are made possible via social engineering which relies on the oversight or negligence of people.
This story is coming at a time when the Nigerian government has allocated ₦1.93 billion ($4.6 million) for a solution that will monitor and intercept WhatsApp messages. The solution is reportedly aimed at protecting Nigerians from cybercrime and terrorism perpetrated through such messaging platforms.
However, media stakeholders and activists consider it as another attempt to restrict civil liberties.