Security News > 2021 > August > Cybercrime Group Asking Insiders for Help in Planting Ransomware
A Nigerian threat actor has been observed attempting to recruit employees by offering them to pay $1 million in bitcoins to deploy Black Kingdom ransomware on companies' networks as part of an insider threat scheme.
"The sender tells the employee that if they're able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom," Abnormal Security said in a report published Thursday.
"The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested-an Outlook email account and a Telegram username."
Black Kingdom, also known as DemonWare and DEMON, attracted attention earlier this March when threat actors were found exploiting ProxyLogon flaws impacting Microsoft Exchange Servers to infect unpatched systems with the ransomware strain.
Abnormal Security, which detected and blocked the phishing emails on August 12, responded to the solicitation attempt by creating a fictitious persona and reached out to the actor on Telegram messenger, only to have the individual inadvertently spill the attack's modus operandi, which included two links for an executable ransomware payload that the "Employee" could download from WeTransfer or Mega.nz.
Also of particular note is the method of using LinkedIn to collect corporate email addresses of senior-level executives, once again highlighting how business email compromise attacks originating from Nigeria continue to evolve and expose businesses to sophisticated attacks like ransomware.