Researchers nab wannabe ransomware scammer trying to convince victims to help hack their employer

Written by

Ransomware operators have taken their profession’s profitability to new heights in the last couple years by outsourcing their work with the “ransomware-as-a-service” model, in which hackers lease out their malware  in exchange for shares of the resulting extortion payments.

Now, a cyber firm has found a ransomware operator going one step further: asking prospective victim companies’ personnel to deploy ransomware on their behalf, then take a cut of the proceeds.

Abnormal Security on Thursday said it recently blocked a batch of emails to its customers that solicited recipients to infect their employers’ networks with ransomware. Researchers set up a fake identity to communicate with the would-be ransomware/insider scheme mastermind — who went by the screen name “Pablo” — under the ruse that the persona would do Pablo’s criminal bidding.

The incident, which occurred in mid-August, marks another tactical swerve in the ever-shifting world of ransomware techniques, and if Pablo’s to be believed, at least three companies have fallen victim to it.

“This is the first time we’ve seen a threat actor attempting to socially engineer an insider employee to deploy ransomware on their behalf against the company they work for,” Crane Hassold, director of threat intelligence for Abnormal Security, said in an email exchange with CyberScoop. “While I think most people would look at this campaign and ask, ‘Who would fall for this?,’ this example shows that cybercriminals are always evolving their tactics to try new things that may be able to evade existing defenses.”

Hassold said his company couldn’t verify Pablo’s claims about successfully infected victims. There are usually valid reasons to suspect the truthfulness of cybercriminals, but some of Pablo’s assertions were more evidently false than others, such as claiming they wrote the ransomware themselves.

In fact, the ransomware in question was DemonWare, the code for which is freely available on GitHub, Abnormal Security said. DemonWare made waves in March as one of the ransomware outfits trying to capitalize on Microsoft Exchange Server vulnerabilities. That pointed investigators toward the notion that the hacker known as Pablo was part of DemonWare’s ransomware-as-a-service program.

Pablo also gave Abnormal Security’s fake persona a bit more information about themselves than they apparently later thought wise, revealing they were stationed in Nigeria and was trying to build an African social networking platform akin to Facebook that Pablo mentioned by name. Pablo later deleted some of that information from the conversation.

The scammer went on to explain that theyresorted to the insider option after trying and failing to get phishing emails to their targets, contact information for which they obtained from LinkedIn. Pablo said the ransomware would disrupt any evidence that could tie the accomplice to the attack.

A trademark of Nigerian cyber scammers is social engineering, most infamously in the “Nigerian prince” schemes in which fraudsters try to convince victims to send money under another guise.

“It makes sense that a Nigerian actor would fall back on using similar social engineering techniques, even when attempting to successfully deploy a more technically sophisticated attack like ransomware,” Hassold wrote in a blog post.

As with many ransomware negotiations analyzed by CyberScoop and other publications, Pablo proved flexible on price. Initially, the scheme offered its accomplices $1 million out of a $2.5 million expected ransom. Upon contact, Pablo suggested instead a $250,000 ransom. Told that the company’s revenue was $50 million, Pablo dropped further to a suggested $120,000.

“im confused about the amount, you said id get 1 mil but ur talking about just charging them 120k,” the fake persona wrote to Pablo.

Answered Pablo, “if you want to charge them a milli we’ll charge them a milli I was just being a little considerate for them, lol.”