Cybercrime Group Asking Insiders for Help in Planting Ransomware

As the Guardian wrote about the situation, the new Ransomware victims ask two other users to install the link and pay the ransom to decrypt their files.

Researchers discovered a blocked phishing email on August 12 that responded to the request and tried to impersonate an employee to reach the actor via Telegram Messenger. The vulnerabilities discovered in the blocked emails attempted to create a fictitious person to reach the Nigerian threat actor via Telegram Messenger, so that the threat actor could spill the attack mode operandi and contain a two-part executable ransomware payload that employees could download via WETransfer. Irregular security detected and blocked the phishing email, which tried to produce the fake persona and reach her Telegram Messenger identity, so that she could integrate the Ransomware payload, which the employees had received through WETtransfer.

Nigerian risk-takers have been caught trying to recruit workers and provide them with paid 1 million Bitcoins to use the Black Kingdom’s ransomware on the company’s network as part of an insider risk scheme. Nigerian risk-takers watched attempts to recruit the workers and hand over the money to the company’s network as part of the insider trading scheme. Nigerian Menace and Histrion observed attempts by recruiters and employees to offer them a $1 Bitcoin reward to use Black Kingdom in the affiliated corporate network of arsenic as part of the Insider Menace scheme.

The Black Kingdom Ransomware Connected Companies Networks (Arsenic) part of the Insider Menace scheme, also known as Arsenic Demonware or Demon, attracted attention in March when a former Menace actor recovered to exploit the proxylogon vulnerability that affected Microsoft Exchange servers to infect unpatched systems with Ransomware strains.

In the latest campaign, the criminals told their employees that they would receive 1 million Bitcoins (40% of the suspected ransom of 25 million dollars) if they used the ransomware on company computers and Windows servers. According to researchers from cloud email security platform Abnormal Security, Nigerian threat actors told their employees that they could use the ransomware if they paid the ransom. Employees were also told that they could launch the ransomware remotely.

Ransomware gangs lock up company data and demand payments, costing companies up to $20 billion a year. New research by Kaspersky has revealed that 56% of ransomware victims have not yet paid a ransom. The creators of Ransomware Tools developed to carry out Ransomware attacks take a percentage of each successful payment of ransom.

In Britain, former top cybersecurity official Ciaran Martin accused cybersecurity firms of funding organised crime by facilitating payments to ransomware gangs. In 2020 there were 33 attacks by Ransomware attacks on government agencies – Security Intelligence 2020 – and in June 2019 the City of Florida paid $600,000 ransom to recover hacked files.

In 2019, 56 organizations from multiple industries reported ransomware attacks. Last year, ransomware attacks grew to 43.5%, according to Deep Instinct, a New York start-up that uses artificial intelligence to ward off attacks. With the increasing dependence on mobile phones and the use of personal mobile devices in the workplace, the risk of a ransomware attack is higher for everyone.

In June, a West Coast university paid cybercriminals $11.4 million in bitcoin in a ransomware attack. The vicious circle that fuels ransomware is one of the world’s worst cyber crimes, in which criminals take control of a company’s computer network and encrypt their data with secret code. According to Emsisoft, a New Zealand cybersecurity firm that helps ransomware victims retrieve their data, the gang has taken over the networks of 560 health facilities, 1,481 schools and colleges and more than 1,300 businesses.

Ransomware can be traced back to 1989, when the HIV virus was used to extort money from victims of ransomware. With the growth of cryptocurrencies like Bitcoin, ransomware attacks began to gain popularity. The malware forces financial companies to trick employees into clicking on malicious documents, allowing attackers to move around the network, manipulate ATMs known as jackpotting and compromise cash register data.

Attempts to use insiders for ransomware attacks, like other malware intrusions, are rare. In 2016, only about 4,000 ransomware attacks occurred in the U.S., of which only about half were successful and infected about 20% of an organization’s computers. At the same time, ransomware hackers often target insured victims.

In July 2020, Egor Igorevich Kriuchkov conspired to extort $4 million from an electric car manufacturer by trying to get employees to install malicious software that could extract data from the company network. A ransomware gang based in Nigeria carried out a campaign in which a million dollars in bribes – part of the ransom collected by employees of target organizations – had been paid to induce them to install demonware ransomware on their corporate networks, Abnormal Security reported.

Darkside started recruiting new partners last month and is looking for network penetration testers to help transform a single compromised computer into a complete data breach or ransomware incident. Darkside Group adheres to the current badguy best practice of double extortion, which consists of demanding a separate sum and a separate ransom for each digital key that is needed to unlock files on the server in exchange for the promise to destroy the stolen data. The group says it targets large companies and prohibits affiliates from dropping ransomware on organizations in several industries including healthcare, funeral services, education, the public sector and nonprofit organisations.

The explicit and deliberate strategy was used by LinkedIn to collect e-mail addresses of executives, highlighting companies whose e-mails were compromised by the BEC attack originating in Nigeria and then going on to expose the company through sophisticated ransomware attacks.