- The best iPads for college: Expert tested and reviewed
- One of the best mid-range sports watches I've tested is on sale for Black Friday
- This monster 240W charger has features I've never seen on other accessories (and get $60 off this Black Friday)
- This laptop power bank has served me well for years, and this Black Friday deal slashes the price in half
- This power bank is thinner than your iPhone and this Black Friday deal slashes 27% off the price
DemonWare Solicits Staff to Deploy Ransomware
A cyber-criminal group has been emailing employees and asking them to help attack their own companies with malware.
The insider threat solicitation scheme was discovered by researchers at Abnormal Security. The author of the emails is someone who claims to have links with the DemonWare ransomware group, also known as Black Kingdom and DEMON.
“On August 12, 2021, we identified and blocked a number of emails sent to Abnormal Security customers soliciting them to become accomplices in an insider threat scheme,” stated Abnormal Security’s Crane Hassold.
“The goal was for them to infect their companies’ networks with ransomware.”
To entice the employees into becoming their criminal accomplices, the email’s author offers them a cut of the loot.
“The sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1m in Bitcoin, or 40% of the presumed $2.5m ransom,” wrote Hassold.
Employees are told how to launch the ransomware physically or remotely. Interested employees are instructed to contact the sender via an email address or via Telegram.
This new and rather brazen attack tactic stood out to researchers, who are used to seeing ransomware deployed via other, more subtle, methods.
“Historically, ransomware has been delivered via email attachments or, more recently, using direct network access obtained through things like unsecure VPN accounts or software vulnerabilities,” wrote Hassold. “Seeing an actor attempt to use basic social engineering techniques to convince an internal target to be complicit in an attack against their employer was notable.”
Researchers created a fake persona and contacted the attacker asking how they could help in the attack. The attacker sent download links to an executable file that researchers confirmed was ransomware.
Further communication with the attacker revealed that he picked his targets and found their email addresses on the networking site LinkedIn.
“You can defeat most social engineering that gets by your technical defenses by using security awareness training and MFA,” commented Roger Grimes, data driven defense evangelist at KnowBe4.
“You can worry about disgruntled employees, but while you are doing that, your loyal employee is getting socially engineered. That is your real problem.”
