Ransomware Attacker Offers Employees a Cut if They Install DemonWare on Their Organizations Systems

Researchers went undercover and posed as willing insider threats to expose and study an unusual hybrid BEC-style social engineering-ransomware scheme.

Researchers masqueraded as a rogue employee to engage with a ransomware operator soliciting insiders to plant ransomware on their own organizations servers in exchange for a portion of the ransom money. Their ploy gave them a front-row seat in a rare ransomware threat — one that comes with a bold social engineering twist.
Crane Hassold, director of threat intelligence for email security firm Abnormal Security, since Aug. 12 has been interacting with the would-be attacker, who he believes is a Nigerian-based business email compromise (BEC) scammer based on the intelligence he has gathered and gleaned from their online interactions.
Its an interesting and novel tactic, says Hassold of the attack.
The scam is somewhat reminiscent of a more targeted ransomware attempt
on Tesla last year
, when cybercriminals tried to bribe an employee at the carmakers Gigafactory in Nevada to the tune of $1 million to help infect the companys network with ransomware. The employee instead
worked with the FBI to help get the cybercriminal, a Russian national, arrested
.
Meanwhile, Hassold has been communicating via Telegram with this new extortionist attacker, posing as a willing but nervous employee interested in getting a cut of a potential ransom payment. I dont know how successful it will be at the end of the day, but they are not looking at a high success rate. ... They want to make enough money to make the ROI.
The attacker apparently initially attempted to dupe his victims using the usual BEC method of gathering contact information on LinkedIn and sending phishing emails to senior-level executives in hopes of stealing credentials and getting account access. Hassold says when the credential-phishing failed, the attacker pivoted to a ransomware attack deal-making scheme offered via an email message.
Its really interesting to me that while we think of ransomware as a technically sophisticated attack, when we think of Nigerian scammers we think of social engineering. Now we have a hybrid attack, using the same social engineering tactics hes probably using on a daily basis on BEC, credential, and romance scams and tossing it in with ransomware.
The attack goes like this: The employee receives an email offering $1 million in Bitcoin, or 40% of a $2.5 million ransom bounty, if he or she installs DemonWare ransomware — either physically or remotely — on their companys Windows server or other computer. If the employee wants to take them up on it, he or she contacts the attacker via their Outlook email address or Telegram account provided in the initial email.
Given that most ransomware attacks begin with a rigged email attachment or via a compromised VPN account or software vulnerability, recruiting an insider to go rogue was an unusual tactic, according to Hassold, especially since it was not a targeted attack.
DemonWare ransomware, aka Black Kingdom, is available on GitHub for download, but the attacker told Hassold he had written the ransomware himself using Python. Its been most famously
used to exploit the ProxyLogon (CVE-2021-27065)
vulnerability in Microsoft Exchange earlier this year.
Abnormal decided to engage with the attacker after spotting and blocking several of his email attempts to co-opt accomplices to infect their employers systems with the ransomware. Hassold says the would-be targets spanned companies of all sizes and from different industry sectors, demonstrating the wide net the attacker had cast in hopes of cashing in.
He sent Hassold and his team links to an executable file called Walletconnect (1).exe, and they confirmed it was ransomware. The attacker also sent Hassold a screenshot of his ransomware control panel, and it appeared to bolster his claim that he had successfully recruited three victims who had installed the ransomware in their organizations.
The kicker, though, is that if an employee were to go rogue and install the ransomware on the company server, their role in the attack likely would be exposed at some point during the incident response. Hassold says the attacker reassured him that all files would be encrypted, and not to worry because even if the victim pays up and the files are decrypted, they wont know it was his doing. He told me once Ive installed the ransomware then just put [the .exe file] in the recycle bin and [delete it] and it will be fine.
That naive comment demonstrates how little the attacker knows about digital forensics and incident response, Hassold says.
Hassold and his team were able to gather some personal details on the would-be attacker, including his location in Nigeria. He sent me his LinkedIn profile, which of course could be fake, but some information matches what we found in our open source analysis of him, Hassold says.
Ransomware Helps BEC Evolve
The researchers shared
their findings
with US law enforcement, including the attackers name and LinkedIn profile. But its unlikely to result in an any legal action anytime soon because officials need an actual victims case to pursue a full investigation. Its a chicken-and-egg situation with law enforcement at times, Hassold says.
I think based on this campaign its interesting to note that ransomware has really gotten to the point that you have actors usually in other spaces at least trying to use fear-mongering of ransomware to make themselves money, he says.
Even so, ransomware is still nowhere near as lucrative as BEC attacks, he says. The BEC-type attack causes the most financial impact to date, he notes. And the Nigeria-based BEC groups are constantly evolving, he says, and running multiple scams simultaneously.
It doesnt surprise me at all to see these actors at a minimum testing out a tactic like this to see if it will be successful, Hassold says.
According to the
2021 Verizon Data Breach Investigations Report,
BEC was second only to phishing as the most common type of social engineering attack. Of the nearly 60% of BEC attacks that stole money, the median loss to victims was $30,000. Some 95% of BECs cost victims between $250 and $984,855..
BEC attacks
cost US organizations
some $1.77 billion overall in 2019, according to the FBI.
A well-credentialed insider threat is the soft underbelly of an organization, notes Cameron Camp, a security researcher with ESET. A high-value target that can plant malicious payloads deep in the mothership is probably worth whatever the bad actors have to pay.
While rogue insiders are much less common than a pure BEC attack attempt, this scheme underscores how many cyberattacks dont entail malicious payloads coming in via email. Its more about social engineering attacks, he says, adding that this is a great example of a less technically sophisticated attack that relies mainly on social engineering.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Ransomware Attacker Offers Employees a Cut if They Install DemonWare on Their Organizations Systems