Nigerian Ransomware: An Inside Look at Soliciting Employees to Deploy DemonWare

August 19, 2021

On August 12, 2021, we identified and blocked a number of emails sent to Abnormal Security customers soliciting them to become accomplices in an insider threat scheme. The goal was for them to infect their companies’ networks with ransomware. These emails allege to come from someone with ties to the DemonWare ransomware group.

DemonWare—also known as Black Kingdom and DEMON—has been around for a few years. Earlier this year, the ransomware was in the news when an actor tried to use it to exploit the significant Microsoft Exchange Vulnerability that was announced in March (CVE-2021-27065).

The Initial Ask: Sending the Ransomware Request

In this latest campaign, the sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom. The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested—an Outlook email account and a Telegram username.

Demonware initial email

Initial email sent by the threat actor.

Historically, ransomware has been delivered via email attachments or, more recently, using direct network access obtained through things like insecure VPN accounts or software vulnerabilities. Seeing an actor attempt to use basic social engineering techniques to convince an internal target to be complicit in an attack against their employer was notable.

The tactic used by this actor, however, gave us an opportunity to better understand it. Since the actor invited a target to get in touch with him, we did just that. We constructed a fictitious persona and reached out to the actor on Telegram to see if we could get a response. It didn’t take long for a response to come back, and the resulting conversation gave us an incredible inside look at the mindset of this threat actor.

Instructing the Target and Reducing the Ransom

The first message we sent indicated we saw the email and asked what we needed to do to help. A half hour later, the actor responded and reiterated what was included in the initial email, followed by a question about whether we’d be able to access our fake company’s Windows server. Of course, our fictitious persona would have access to the server, so we responded that we could and asked how the actor would send the ransomware to us.

Demonware initial response

Initial response from ransomware actor reiterating offer.

Later, the actor sent us two links for an executable file we could download on WeTransfer or, two file sharing sites. The file was named “Walletconnect (1).exe” and based on an analysis of the file, we were able to confirm that it was, in fact, ransomware.

Demonware links

Ransomware actor providing links to ransomware file.

As the conversation continued, it became clear that the actor was quite flexible in the amount of money he was willing to accept for the ransom. While the initial email insinuated the ransom would be $2.5 million, the actor quickly lowered expectations by indicating he hoped he could charge our fake company just $250,000. After our persona mentioned the company we “worked” for had an annual revenue of $50 million, the actor pivoted and lowered the number even further to $120,000.

Demonware updating ransom

Ransomware actor updating ransom amount expectations.

Throughout the conversation, the actor repeatedly tried to alleviate any hesitations we may have had by ensuring us that we wouldn’t get caught, since the ransomware would encrypt everything on the system. According to the actor, this would include any CCTV (closed-circuit television) files that may be stored on the server.

The actor also instructed us to dispose of the .EXE file and delete it from the recycle bin. Based on the actor’s responses, it seems clear that he 1) expects an employee to have physical access to a server, and 2) he’s not very familiar with digital forensics or incident response investigations.

Demonware instructions

Ransomware actor provides instructions on how to cover our tracks.

At one point in the conversation, we asked the actor if he had created the ransomware himself or if he was just using it. The actor told us that he “programmed the software using python language.” In reality, however, all of the code for DemonWare is freely available on GitHub as a “project was made to demonstrate how easy ransomware are [sic] easy to make and how it work [sic].”

Demonware programming

Ransomware actor attesting to writing the malware himself.

In this case, our actor simply needed to download the ransomware from GitHub and socially engineer someone to deploy the malware for them.

Demonware github example

Ransom demand screen provided by our actor vs. ransom demand screen sample from GitHub DemonWare repository.

This demonstrates the appeal of ransomware-as-a-service, as it lowers the barrier of entry for less technically-sophisticated actors to get into the ransomware space.

The LinkedIn Connection: Finding Targets Through Social Networks

When analyzing cyber attacks, one of the biggest questions to ask is how did an actor initially get the target’s contact information? In this case, since we had our threat actor engaged with us, we thought we should ask him the question directly.

According to the actor, he collects his targeting information from LinkedIn, which, in addition to other commercial services that sell access to similar data, is a common method scammers use to obtain contact information for employees.

Demonware targeting linkedin

Information about how target contact information was collected by ransomware actor.

According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext.

Digging Deeper: Understanding the Nigerian Scheme

So who is this person? Before starting our conversation with the actor, we conducted some cursory open source research to see if we could get any clues about his identity. Our initial findings suggested that the actor could potentially be Nigerian, based on information found on a Naira (Nigerian currency) trading website and a Russian social media platform website.

Demonware finance

Information found on a Russian social media platform website connecting ransomware actor to Nigeria.

After our conversation started, though, the actor we were talking to was kind enough to confirm our suspicions. After expressing concerns that the actor might pull one over on us, he provided some information about himself. He confirmed that he was located in Nigeria and was trying to build an African social networking platform, joking he was “the next Mark Zuckerberg.” He also provided a link to his LinkedIn profile containing his full name.

Interestingly, the actor must have had second thoughts about sharing his identity with us because he later deleted those messages from our conversation. However, anticipating this regret, we saved screenshots of this information before he deleted it.

Demonware conversation details

Attribution details provided by ransomware actor.

Knowing the actor is Nigerian really brings the entire story full circle and provides some notable context to the tactics used in the initial email we identified. For decades, West African scammers, primarily located in Nigeria, have perfected the use of social engineering in cybercrime activity.

While the most common cyber attack we see from Nigerian actors (and most damaging attack globally) is business email compromise (BEC), it makes sense that a Nigerian actor would fall back on using similar social engineering techniques, even when attempting to successfully deploy a more technically sophisticated attack like ransomware.

Collecting Intelligence Through Engagement

Our conversation with this ransomware actor took place over the course of five days. Because we were able to engage with him, we were better able to understand his motivations and tactics.

Threat intelligence like this helps us better understand the bigger picture with additional context—something we’re unable to do by only examining traditional indicators of compromise and raw data. Using these unique intelligence collection methods, we are able to gain a deeper level of insight to help better understand emerging cyber threats and to better protect our customers.

Curious about our additional conversations with this threat actor? View our webinar on Deconstructing the Ransomware Landscape: Conversation with a Real Threat Actor.

Blog yellow microsoft squares
Security is now a $10 billion business for Microsoft, and the company is a leader in five Gartner Magic Quadrants—access management, endpoint management tools, cloud access security brokers, enterprise information archiving, and endpoint protection platforms. This validation proves that their customers...
Read More
Blog library cover
With school starting this month, cybercriminals are back in action—targeting university students in an attempt to steal valuable personal information. In a recent attack uncovered by Abnormal, a credential phishing attacker used a legitimate email account and created false urgency to steal student credentials through a phishing website.
Read More

Related Posts

Quishing blog cover
What is unique to this campaign is that these messages contained QR codes offering access to a missed voicemail, handily avoiding the URL scan feature for email attachments present in secure email gateways and native security controls
Read More
B 10 15 21
With Detection 360, submission to threat containment just got 94% faster, making it incredibly easy for customers to submit false positives or missed attacks, and get real-time updates from Abnormal on investigation, conclusion, and remediation.
Read More
Extortion blog cover
Unfortunately, physically threatening extortion attempts sent via email continue to impact companies and public institutions when received—disrupting business, intimidating employees, and occasioning costly responses from public safety.
Read More
Blog engineering cybersecurity careers
Cybersecurity Careers Awareness Week is a great opportunity to explore key careers in information security, particularly as there are an estimated 3.1 million unfilled cybersecurity jobs. This disparity means that cybercriminals are taking advantage of the situation, sending more targeted attacks and seeing greater success each year.
Read More
Blog hiring cybersecurity leaders
As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.
Read More
Cover automated ato
With an increase in threat actor attention toward compromising accounts, Abnormal is focused on protecting our customers from this potentially high-profile threat. We are pleased to announce that our new Automated Account Takeover (ATO) Remediation functionality is available.
Read More
Email spoofing cover
Email spoofing is a common form of phishing attack designed to make the recipient believe that the message originates from a trusted source. A spoofed email is more than just a nuisance—it’s a malicious communication that poses a significant security threat.
Read More
Cover cybersecurity month kickoff
It’s time to turn the page on the calendar, and we are finally in October—the one month of the year when the spooky becomes reality. October is a unique juncture in the year as most companies are making the mad dash to year-end...
Read More
Ices announcement cover
Abnormal ICES offers all-in-one email security, delivering a precise approach to combat the full spectrum of email-borne threats. Powered by behavioral AI technology and deeply integrated with Microsoft 365...
Read More
Account takeover cover
Account takeovers are one of the biggest threats facing organizations of all sizes. They happen when cybercriminals gain legitimate login credentials and then use those credentials to send more attacks, acting like the person...
Read More
Blog podcast green cover
Many companies aspire to be customer-centric, but few find a way to operationalize customer-centricity into their team’s culture. As a 3x SaaS startup founder, most recently at Orum, and a veteran of Facebook and Palantir, Ayush Sood...
Read More
Blog attack atlassian cover
Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known...
Read More