{"id":19041,"date":"2021-08-23T18:38:16","date_gmt":"2021-08-23T18:38:16","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=19041"},"modified":"2021-08-23T18:38:16","modified_gmt":"2021-08-23T18:38:16","slug":"ransomware-groups-look-for-inside-help","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/ransomware-groups-look-for-inside-help\/","title":{"rendered":"Ransomware Groups Look for Inside Help"},"content":{"rendered":"

Ransomware<\/a> attackers, who use myriad methods to get their malware<\/a> into the systems of businesses large and small in hopes of pulling down millions of dollars, are now going directly to the source.<\/p>\n

A researcher with email security solutions vendor Abnormal Security found a threat actor directly emailing employees of a company urging them to release the ransomware into a company computer or Windows server in return for 40 percent \u2013 about $1 million \u2013 of the expected $2.5 million ransom the company would pay.<\/p>\n

The hope was that one of the emails would hit the inbox of a disgruntled employee who would be willing to turn his displeasure into a payday that would help him and the cybercriminal.<\/p>\n

\u201cHistorically, ransomware has been delivered via email attachments or, more recently, using direct network access obtained through things like unsecure VPN accounts for software vulnerabilities,\u201d Crane Hassold, director of threat intelligence at Abnormal Security, wrote in a blog post<\/a>. \u201cSeeing an actor attempt to use basic social engineering techniques<\/a> to convince an internal target to be complicit in an attack against their employer was notable.\u201d<\/p>\n

Evolving Ransomware Scene<\/h2>\n

The case of a direct approach to company employees is the latest illustration of the ever-evolving and fluid nature of a ransomware landscape that has become a key threat to organizations around the world. According to a report<\/a> this week by Atlas VPN, the number of ransomware attacks in the first half of 2021 have jumped year-over-year by 151 percent, with the United States being the most targeted country by a wide margin. The numbers in the report come from cybersecurity vendor SonicWall.<\/p>\n

There were 304.7 million ransomware attacks in the first six months of 2021, compared with 121.5 million during the same period last year. This year, 227.3 million of those attacks occurred in the United States.<\/p>\n

\u201cThe number is concerning considering only half of the year has passed and we already know it is the worst result yet,\u201d the researchers wrote. \u201cRansomware has continued to soar because more businesses are willing to pay a ransom to get their data back. That lets hackers know that their methods are working and launching attacks will allow them to earn a quick buck.\u201d<\/p>\n

Fortinet’s midyear threat landscape report<\/a> released today found that ransomware activity is up tenfold from a year ago.<\/p>\n

\"growing<\/p>\n

Filling the Void<\/h2>\n

The shutting down of operations by ransomware groups like REvil and DarkSide also has given other bad actors room to roam, which has fueled a resurgence in the LockBit ransomware-as-a-service<\/a> (RaaS), with the most recent high-profile attack being on global consulting firm Accenture<\/a> that sought a ransom of about $50 million. Organizations in such countries as Italy, Taiwan and the UK also have been targeted by LockBit 2.0, the latest version of the ransomware, according to a report<\/a> this week by cybersecurity vendor TrendMicro. LockBit attackers have also looked for inside help by installing wallpaper on compromised PCs offering a cut of ransomware payments for people inside companies providing access to a system.<\/p>\n

In the case involving Abnormal Security, Hassold said the vendor\u2019s technologies identified and blocked messages sent to several of the vendor\u2019s customers from a bad actor making the offer to senior executives. In the message sent, the bad actor implied he had ties to the DemonWare ransomware group. The malware, which also is known as Black Kingdom and DEMON, has been around for a few years and is available for free on GitHub.<\/p>\n

Further reading: How Zero Trust Security Can Protect Against Ransomware<\/a><\/p>\n

Conversation with a Bad Actor<\/h2>\n

The email also gave two ways a person interested in the offer could contact the bad actor, either through Outlook mail or the Telegram social media platform. Hassold did, creating a fictitious profile and then reaching out via Telegram.<\/p>\n

Over the course of several days of online conversation, Hassold was able to talk the person into sending what turned out to be a file named \u201cWalletconnect (1).exe\u201d containing the ransomware. The amount of the planned ransom demand changed, dropping from $2.5 million to as low as $120,000.<\/p>\n

Regarding the ransomware, \u201cat one point in the conversation, we asked the actor if he had created the ransomware himself or if he was just using it. The actor told us that he \u2018programmed the software using python language,\u2019\u201d he wrote in the blog post. \u201cIn reality, however, all of the code for DemonWare is freely available on GitHub. … In this case, our actor simply needed to download the ransomware from GitHub and socially engineer someone to deploy the malware for them.\u201d<\/p>\n

The use of the DemonWare malware \u201cdemonstrates the appeal of ransomware-as-a-service, as it lowers the barrier of entry for less technically-sophisticated actors to get into the ransomware space,\u201d Hassold wrote.<\/p>\n

The bad actor told Hassold that he initially sent senior-level executives at the targeted companies phishing emails in hopes of compromising their accounts, but after that failed, he turned to trying to lure employees to unleash the ransomware themselves.<\/p>\n

Threat Traced to Nigeria<\/h2>\n

Eventually Abnormal Security was able to link the email to a person in Nigeria who told Hassold that he was working to build a social network called Sociogram, going as far as giving Abnormal Security a link to his LinkedIn page.<\/p>\n

\u201cKnowing the actor is Nigerian really brings the entire story full circle and provides some notable context to the tactics used in the initial email we identified,\u201d Hassold wrote. \u201c For decades, West African scammers, primarily located in Nigeria, have perfected the use of social engineering in cybercrime activity. While the most common cyber attack we see from Nigerian actors (and most damaging attack globally) is business email compromise (BEC), it makes sense that a Nigerian actor would fall back on using similar social engineering techniques, even when attempting to successfully deploy a more technically sophisticated attack like ransomware.\u201d<\/p>\n

In a blog post<\/a>, security threat researcher Chris Krebs wrote that \u201ccybercriminals trolling for disgruntled employees is hardly a new development. Big companies have long been worried about the very real threat of disgruntled employees creating identities on darknet sites and then offering to trash their employer\u2019s network for a fee.\u201d<\/p>\n

Krebs added that \u201cseveral established ransomware affiliate groups that have recently rebranded under new banners\u00a0seem to have done away with the affiliate model in favor of just buying illicit access to corporate networks.\u201d<\/p>\n

John Hellickson, cyber executive advisor at cybersecurity consultancy Coalfire, told eSecurity Planet<\/em> trawling for disgruntled employees \u201cis an interesting and creative tactic to go after another potential weak link in an organization’s security defenses, but it’s not necessarily new.\u00a0It’s hard to know how often this tactic has been used, but it’s not as prevalent as simple phishing or targeted attacks that have less human-to-human interactions to get a desired malicious outcome.\u201d<\/p>\n

This probably won\u2019t be a significant contributor to the insider threat calculation now, but \u201cit shouldn’t be discounted as something that couldn’t happen at any given organization.\u201d<\/p>\n

Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber, a specialist in vulnerability remediation, told eSecurity Planet<\/em> that the tactic is a new twist on a time-tested approach, adding that \u201csocial engineering and phishing tactics are evolving and being utilized to fuel the access hackers need to access corporate networks. But this is just the start.\u201d<\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n