Analysts at Abnormal Security discovered a hacker who tried to find insiders in large companies and offered them a million dollars in bitcoins (40% of the estimated ransom of $ 2.5 million) if they helped deploy the Black Kingdom ransomware (aka Demonware) in their corporate networks.
It looks like the scammer was inspired by the example of LockBit 2.0 ransomware developers actively recruiting corporate insiders to help hack and encrypt company networks. In return, insiders are also promised a “fee” of a million dollars.
The attention of researchers from Abnormal Security was attracted by multiple messages that the attacker sent to mailboxes protected by the company’s platform.
The fact is that Black Kingdom or Demonware is an open source project, the code of which is available on GitHub and is usually used by not too advanced technical attackers. However, the author of the letters claimed that it was his own project, written in Python.
The researchers decided to communicate with the attacker, who left his contact information in letters, and contacted him via Telegram under an assumed name. As a result, the hacker fell for the trick of the specialists, took them for a really interested person and provided a ransomware payload that could be downloaded from WeTransfer or Mega.nz.
“The attacker instructed us how to get rid of the .EXE file and remove it from the recycle bin. From his responses, it seems clear that he 1) assumes that the insider employee will have physical access to the server, and 2) is not very familiar with digital forensics, investigations and incident response, ”the researchers said.
The attacker also assured the “insider” that even if he gets into the field of view of surveillance cameras, it is not scary, because his ransomware will encrypt all data, including recordings from these very cameras.
As the conversation continued (the researchers communicated with the criminal for several days), it became clear that the hacker was quite flexible in the amount of the desired ransom: if in the letter he spoke about $ 2.5 million, then in the chat he said that he hoped to get at least $ 250,000 and then agreed to lower the ransom to $ 120,000.
According to the criminal, he collected data for his targeted mailings through LinkedIn. He admitted that at first he tried to send phishing emails to senior executives in order to hack their accounts, but when this venture was unsuccessful, he came up with a ransomware option.
At the beginning of the conversation, experts conducted a cursory study of open sources and came to the conclusion that he could be a Nigerian, as they found his data on a website dedicated to the trade of Naira (Nigerian currency).
During the conversation, the fraudster confirmed this assumption, saying that he is now trying to create an African social network and he needs money. He joked that he could be “the next Mark Zuckerberg.” As a result, the hacker even provided the interlocutor with a link to his LinkedIn profile containing his full name. It seems that he quickly realized that he made a mistake and deleted these messages from the conversation, but the researchers managed to take screenshots.