A Nigeria-based ransomware gang is conducting a campaign that dangles a $1 million bribe – or a portion of any ransom collected – to employees of targeted organisations if they will install DemonWare ransomware on their corporate network.

“We constructed a fictitious persona and reached out to the actor on Telegram to see if we could get a response,” says Crane Hassold, director of Abnormal Security, a cyber security company. “It didn’t take long for a response to come back, and the resulting conversation gave us an incredible inside look at the mindset of this threat actor.” Hassold adds: “Based on our conversation with the actor, he claimed to have successfully deployed the ransomware against three companies; however, we haven’t been able to verify his claims.”

The campaign’s operators were quick to react when a researcher answered their email with a reply through Telegram. An attacker responded in about 30 minutes, asking about whether the researcher had access to his employer’s Windows server, Hassold says. The researcher replied “yes” and was rewarded with two links leading to the sharing sites WeTransfer or

“Based on an analysis of the file [examined by Hassold’s team], we were able to confirm that it was, in fact, ransomware,” Hassold notes.

Abnormal Security says the hacker confirmed he was Nigerian. But he also claimed he had developed DemonWare, even though this ransomware is freely available on GitHub. “In this case, our actor simply needed to download the ransomware from GitHub and socially engineer someone to deploy the malware for them,” he says. “This demonstrates the appeal of ransomware-as-a-service, as it lowers the barrier for less technically sophisticated actors to get into the ransomware space.”

Hassold said: “According to this actor, he had originally intended to send his targets – all senior-level executives – phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext.” “Many email-based cyber threats today have become less technically sophisticated because email defenses have gotten quite good at stopping attacks using things like malicious payloads, but aren’t very good at detecting more basic social engineering attacks. “This is why attacks like business email compromise have become so common today.”

Abnormal Security says this campaign is a logical extension of the business email compromise attacks carried out from Nigeria. Hassold says: “While the approach seems amateurish, I think it actually fits within the framework of tactics this actor has become accustomed to. Like many Nigerian threat actors, social engineering has been a core strategy for decades, so it makes sense that this actor would use those techniques even when trying to deploy something more technically sophisticated, like ransomware.”

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply