DemonWare Solicits Staff to Deploy Ransomware

Written by

A cyber-criminal group has been emailing employees and asking them to help attack their own companies with malware. 

The insider threat solicitation scheme was discovered by researchers at Abnormal Security. The author of the emails is someone who claims to have links with the DemonWare ransomware group, also known as Black Kingdom and DEMON.

"On August 12, 2021, we identified and blocked a number of emails sent to Abnormal Security customers soliciting them to become accomplices in an insider threat scheme," stated Abnormal Security's Crane Hassold. 

"The goal was for them to infect their companies’ networks with ransomware."

To entice the employees into becoming their criminal accomplices, the email's author offers them a cut of the loot. 

“The sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1m in Bitcoin, or 40% of the presumed $2.5m ransom," wrote Hassold. 

Employees are told how to launch the ransomware physically or remotely. Interested employees are instructed to contact the sender via an email address or via Telegram. 

This new and rather brazen attack tactic stood out to researchers, who are used to seeing ransomware deployed via other, more subtle, methods. 

"Historically, ransomware has been delivered via email attachments or, more recently, using direct network access obtained through things like unsecure VPN accounts or software vulnerabilities," wrote Hassold. "Seeing an actor attempt to use basic social engineering techniques to convince an internal target to be complicit in an attack against their employer was notable."

Researchers created a fake persona and contacted the attacker asking how they could help in the attack. The attacker sent download links to an executable file that researchers confirmed was ransomware. 

Further communication with the attacker revealed that he picked his targets and found their email addresses on the networking site LinkedIn. 

"You can defeat most social engineering that gets by your technical defenses by using security awareness training and MFA,” commented Roger Grimes, data driven defense evangelist at KnowBe4

“You can worry about disgruntled employees, but while you are doing that, your loyal employee is getting socially engineered. That is your real problem."

What’s hot on Infosecurity Magazine?