Nigerian Ransomware: An Inside Look at Soliciting Employees to Deploy DemonWare

August 19, 2021

On August 12, 2021, we identified and blocked a number of emails sent to Abnormal Security customers soliciting them to become accomplices in an insider threat scheme. The goal was for them to infect their companies’ networks with ransomware. These emails allege to come from someone with ties to the DemonWare ransomware group.

DemonWare—also known as Black Kingdom and DEMON—has been around for a few years. Earlier this year, the ransomware was in the news when an actor tried to use it to exploit the significant Microsoft Exchange Vulnerability that was announced in March (CVE-2021-27065).

The Initial Ask: Sending the Ransomware Request

In this latest campaign, the sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom. The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested—an Outlook email account and a Telegram username.

Demonware initial email

Initial email sent by the threat actor.

Historically, ransomware has been delivered via email attachments or, more recently, using direct network access obtained through things like insecure VPN accounts or software vulnerabilities. Seeing an actor attempt to use basic social engineering techniques to convince an internal target to be complicit in an attack against their employer was notable.

The tactic used by this actor, however, gave us an opportunity to better understand it. Since the actor invited a target to get in touch with him, we did just that. We constructed a fictitious persona and reached out to the actor on Telegram to see if we could get a response. It didn’t take long for a response to come back, and the resulting conversation gave us an incredible inside look at the mindset of this threat actor.

Instructing the Target and Reducing the Ransom

The first message we sent indicated we saw the email and asked what we needed to do to help. A half hour later, the actor responded and reiterated what was included in the initial email, followed by a question about whether we’d be able to access our fake company’s Windows server. Of course, our fictitious persona would have access to the server, so we responded that we could and asked how the actor would send the ransomware to us.

Demonware initial response

Initial response from ransomware actor reiterating offer.

Later, the actor sent us two links for an executable file we could download on WeTransfer or, two file sharing sites. The file was named “Walletconnect (1).exe” and based on an analysis of the file, we were able to confirm that it was, in fact, ransomware.

Demonware links

Ransomware actor providing links to ransomware file.

As the conversation continued, it became clear that the actor was quite flexible in the amount of money he was willing to accept for the ransom. While the initial email insinuated the ransom would be $2.5 million, the actor quickly lowered expectations by indicating he hoped he could charge our fake company just $250,000. After our persona mentioned the company we “worked” for had an annual revenue of $50 million, the actor pivoted and lowered the number even further to $120,000.

Demonware updating ransom

Ransomware actor updating ransom amount expectations.

Throughout the conversation, the actor repeatedly tried to alleviate any hesitations we may have had by ensuring us that we wouldn’t get caught, since the ransomware would encrypt everything on the system. According to the actor, this would include any CCTV (closed-circuit television) files that may be stored on the server.

The actor also instructed us to dispose of the .EXE file and delete it from the recycle bin. Based on the actor’s responses, it seems clear that he 1) expects an employee to have physical access to a server, and 2) he’s not very familiar with digital forensics or incident response investigations.

Demonware instructions

Ransomware actor provides instructions on how to cover our tracks.

At one point in the conversation, we asked the actor if he had created the ransomware himself or if he was just using it. The actor told us that he “programmed the software using python language.” In reality, however, all of the code for DemonWare is freely available on GitHub as a “project was made to demonstrate how easy ransomware are [sic] easy to make and how it work [sic].”

Demonware programming

Ransomware actor attesting to writing the malware himself.

In this case, our actor simply needed to download the ransomware from GitHub and socially engineer someone to deploy the malware for them.

Demonware github example

Ransom demand screen provided by our actor vs. ransom demand screen sample from GitHub DemonWare repository.

This demonstrates the appeal of ransomware-as-a-service, as it lowers the barrier of entry for less technically-sophisticated actors to get into the ransomware space.

The LinkedIn Connection: Finding Targets Through Social Networks

When analyzing cyber attacks, one of the biggest questions to ask is how did an actor initially get the target’s contact information? In this case, since we had our threat actor engaged with us, we thought we should ask him the question directly.

According to the actor, he collects his targeting information from LinkedIn, which, in addition to other commercial services that sell access to similar data, is a common method scammers use to obtain contact information for employees.

Demonware targeting linkedin

Information about how target contact information was collected by ransomware actor.

According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext.

Digging Deeper: Understanding the Nigerian Scheme

So who is this person? Before starting our conversation with the actor, we conducted some cursory open source research to see if we could get any clues about his identity. Our initial findings suggested that the actor could potentially be Nigerian, based on information found on a Naira (Nigerian currency) trading website and a Russian social media platform website.

Demonware finance

Information found on a Russian social media platform website connecting ransomware actor to Nigeria.

After our conversation started, though, the actor we were talking to was kind enough to confirm our suspicions. After expressing concerns that the actor might pull one over on us, he provided some information about himself. He confirmed that he was located in Nigeria and was trying to build an African social networking platform, joking he was “the next Mark Zuckerberg.” He also provided a link to his LinkedIn profile containing his full name.

Interestingly, the actor must have had second thoughts about sharing his identity with us because he later deleted those messages from our conversation. However, anticipating this regret, we saved screenshots of this information before he deleted it.

Demonware conversation details

Attribution details provided by ransomware actor.

Knowing the actor is Nigerian really brings the entire story full circle and provides some notable context to the tactics used in the initial email we identified. For decades, West African scammers, primarily located in Nigeria, have perfected the use of social engineering in cybercrime activity.

While the most common cyber attack we see from Nigerian actors (and most damaging attack globally) is business email compromise (BEC), it makes sense that a Nigerian actor would fall back on using similar social engineering techniques, even when attempting to successfully deploy a more technically sophisticated attack like ransomware.

Collecting Intelligence Through Engagement

Our conversation with this ransomware actor took place over the course of five days. Because we were able to engage with him, we were better able to understand his motivations and tactics.

Threat intelligence like this helps us better understand the bigger picture with additional context—something we’re unable to do by only examining traditional indicators of compromise and raw data. Using these unique intelligence collection methods, we are able to gain a deeper level of insight to help better understand emerging cyber threats and to better protect our customers.

Curious about our additional conversations with this threat actor? View our webinar on Deconstructing the Ransomware Landscape: Conversation with a Real Threat Actor.

Related Posts

B 12 03 22 SIEM
Learn about Abnormal’s enhanced SIEM export schema, which provides centralized visibility into email threats
Read More
Blog phishing cover
The phishing email is one of the oldest and most successful types of cyberattacks. Attackers have long used phishing as a common attack vector to steal sensitive information or credentials from their victims. While most phishing emails are relatively simple to spot, the number of successful attacks has grown in recent years.
Read More
Blog brand cover
For those of you who have visited the Abnormal website over the last month, you’ve seen something different—a redesigned brand focused on precision. It’s new and innovative, and different from any other cybersecurity company, because it was created with one thing in mind: our customers.
Read More
B 11 22 21 AAA
At Abnormal, our customers have always been our biggest priority. Customer obsession is one of our five company values, and we live this every single day as we provide the best email security protection available for the hundreds of companies who entrust us to protect their mailboxes.
Read More
Blog microsoft abnormal cover
Before we jump into modern threats, I think it’s important to set the stage ​​since email has been around. Since email existed, threat actors targeted email users with malicious messages, general spam, and different ways to take advantage of the platform. Then of course, more dangerous attacks started to come up… things like malware and other viruses.
Read More
Blog black friday scam cover
While cybersecurity awareness is a year-round venture, it is especially important to be mindful during certain times of the year. With Thanksgiving here in the United States on Thursday, our thoughts will likely be on our family and friends and everything we have to be thankful for this holiday season.
Read More
Blog automation workflows cover
Our newest platform capabilities help customers streamline critical security workflows, like triaging phishing mailbox submissions or triggering tickets to investigate account takeovers, through automated playbooks. Doing so can decrease mean time to respond (MTTR) to incidents, further reducing any potential risk to the organization and eliminating manual workflows to save time and increase the efficiency of IT and security teams.
Read More
Blog tsa scam cover
On November 9, 2021, we identified an unusual phishing email that claimed to be from “Immigration Visa and Travel,” inviting the recipient to renew their membership in the TSA PreCheck program. The email wasn’t sent from a .gov domain, but the average consumer might not immediately reject it as a scam, particularly because it had the term “immigrationvisaforms” in the domain. The email instructed the user to renew their membership at another quasi-legitimate-looking website.
Read More
Blog pyspark cover
At Abnormal Security, we use a data science-based approach to keep our customers safe from the most advanced email attacks. This requires processing huge amounts of data to train machine learning models, build datasets, and otherwise model the typical behavior of the organizations we’re protecting.
Read More
Blog tiktok attack cover
As major social media platforms have expanded the ability of creators to monetize their content in the last few years, they and their users have increasingly found themselves the targets of malicious activity. TikTok is now no exception.
Read More
Blog ransomware guide cover
While various state agencies and the private sector keep track of ransomware attacks and related tactics worldwide, malicious actors change and evolve their ransomware strategies all the time. We’ve put together a comprehensive guide that will define ransomware, how to detect it, and what steps to take if you’ve fallen victim to a ransomware virus attack.
Read More
Blog detection efficacy cover
One of the key objectives of the Abnormal platform is to provide the highest precision detection to block all never-before-seen attacks. This ranges from socially-engineered attacks to account takeovers to everyday spam, and the platform does it without customers needing to create countless rules like with traditional secure email gateways.
Read More