The security analysts at Abnormal Security classified and blocked a number of uncertain emails recently that were sent to the customers of Abnormal Security security firm.
They detected that all the blocked emails were asking the customers of Abnormal Security to become a coordinator of an insider threat or ransomware scheme.
Here, the primary goal of the threat actor is to lure the customers with lucrative threat scheme incentives and then deploy their ransomware to infect their companies’ networks.
Apart from all these things the analysts have indicated that all blocked emails have come from someone who has links with the DemonWare ransomware group.
Sending the Ransomware Request
This is one of the latest campaigns that has been implemented by the threat actors. However, in this campaign, the sender determines the employee that if they can dispose of the ransomware on a company computer or Windows server.
In case if they can convince the targeted associate then they would be compensated with $1 million in bitcoin or 40% of the assumed $2.5 million ransom.
Moreover, the employee has been told that if they want to do so, then in that case they can launch the ransomware physically or remotely.
After investigating the attack, the experts claimed that this ransomware has been distributed through email attachments, as well as using direct network access that was generally achieved via unsecure VPN accounts or software vulnerabilities.
Finding the Insider
Throughout a lengthy conversation with the attacker, the Abnormal Security expert asked the threat actor that what we needed to do to help?
After the email, the threat actors responded in just a half-hour and repeated that what was involved in the initial email, and it is followed by a question regarding whether we would be capable to access the fake company’s Windows server or not.
After investing in the ransomware, the threat actor has sent the experts two links for an executable file that could get download on WeTransfer or Mega(.)nz, these two are the file-sharing sites.
Here, the file was named “Walletconnect (1).exe” and based on an examination of the file they were able to authenticate the ransomware.
Finding Targets Through Social Networks
According to the investigation report, in this campaign, the threat actors get their target’s contact information from the professionals’ social networking site, LinkedIn.
And not only LinkedIn, along with it, they also find their targets from similar commercial services that offer the same type of information, as all these platforms are the most common targets for the threat actors to get information like this.
While apart from this, on further investigation the researchers detected that the threat actor is a Nigerian since they found traces of Nigerian currency.
Not only that even during their conversation the actor confirmed that he is from Nigeria and mimicked his name as “the next Mark Zuckerberg.”
So, this event clearly depicts that this type of attack or other malware intrusions is rare.