Nigerian Threat Actors Solicit Employees to Deploy Ransomware for Cut of Profits
Researchers have uncovered a campaign in which a Nigerian threat actor is seeking to turn an organization’s employees into insider threats. The individual, or potentially multiple individuals, have crafted campaign emails that offer 1 million in Bitcoin if the target installs DemonWare onto an organization’s network. It appears as though the threat actors are soliciting targets to deploy ransomware for a cut of the ransom profits. A number of emails were discovered earlier this month. The attackers state that they have ties to the DemonWare ransomware group also referred to as the Black Kingdom.
The employees targeted during this campaign have been told they can launch the ransomware physically or remotely in exchange for financial compensation. DemonWare is a Nigeria-based ransomware group that has been active for several years, last spotted alongside other threat actors launching attacks targeting the Microsoft ProxyLogon vulnerabilities in March. Researchers from Abnormal Security decided to test the threat actor, responding to the initial email from DemonWare. The threat actor responded with an iteration of the original email and several questions about the nature of the organization’s networks.