The Latest Scam: Soliciting Employees to Deploy Ransomware

Author Avatar


Posted on October 11, 2021

The “Nigerian prince” scam was one of the first to exploit the power of the internet for nefarious purposes. After starting in the 1980s with physical letters or faxes, the scammers quickly transferred – and vastly broadened – distribution of their long, involved stories about large sums of money that were stuck in some unstable country by sending email appeals to millions of “Mr. Sirs.” In exchange for helping to move the money to the US, they offered substantial commissions. A common variation on this centuries-old scam, which some trace back to the period following the French Revolution, involved the person claiming to be royalty with a great investment opportunity that depended on the recipient’s help to get the prince’s money out of the country.

Of course, once the scams moved online, electronic banking made it a snap to drain people’s bank accounts. Given how well known these scams are – serving even as the punchlines of jokes on Saturday Night Live – it’s remarkable that the Nigerian Prince scam still raked in over $700,000 last year.

A new variation on email-based attacks

Now, researchers at Abnormal Security have provided details on a new and way more sophisticated criminal email proposition that is being run out of Africa: Soliciting employees to deploy ransomware in their employers’ systems, in exchange for a cut.

Phishing emails are intended to deceive their target readers by impersonating a legitimate source and manipulating users into giving up login credentials, opening an infected attachment, or clicking on a link that will deploy malware.

As companies have stepped up their cybersecurity game, it’s gotten tougher for cybercriminals to penetrate organizations with phishing emails. Sophisticated phishing emails are still quite successful, but not every criminal has the skill to craft effective appeals. The latest wrinkle bypasses manipulation and appeals directly to peoples’ lowest instincts —greed and resentment. Cybercriminals appeal directly to disgruntled or greedy employees of companies targeted for ransomware, and offer an attractive deal. In fact, it’s not really phishing at all – it’s recruiting.

In this case, the initial contact email had “Partnership Affiliate Offer” as its subject line. And it was, in fact, a partnership affiliate offer – to become a partner in crime. The email was very blunt and upfront in its appeal:

  • if you can install and launch our Demonware Ransomware in any company/computer main windows server physically or remotely
  • 40% for you, a milli [sic] dollars for you in BTC
  • if you are interested (email and Telegram addresses)

Errors reveal a newbie behind the attacks…this time

Since the email included contact information, the researchers decided to create a fictitious persona that would allow them to get a better understanding of how the attacker works. They sent a message on Telegram and received a response within half an hour.

The would-be cybercriminal asked if he could access the company’s Windows server. The researchers assured him he could. The attacker sent links for an executable file named “Walletconnect (1).exe,” which the researchers confirmed contained ransomware.

The attacker then started asking questions about how large the company was, and was very flexible regarding the ransom amount, coming down from an imputed $2.5 million (based on the collaborator’s cut) to just $120,000.

The attacker reassured the researchers that they would not be caught since the ransomware would cripple everything, including any CCTV footage. (The attacker apparently lacks a good grasp of today’s IT forensic abilities).

The researchers then asked the attacker how he found dissatisfied employees to target. The reply? On LinkedIn.

When the “collaborators” expressed concern that the attacker might rip them off, he tried to build their confidence by sharing personal information about himself. He said he was in Nigeria and was building an African social networking platform. He joked that he was going be “the next Mark Zuckerberg LOL.” And let slip that the social network was called Sociogram.

When contacted by a journalist writing a story about this new twist on cybercrime, Oluwaseum Medayedupin, Sociogram’s founder, pleaded with the author not to include the company’s name in the story and harm Sociogram’s reputation. He didn’t respond to questions about whether he was in fact trying to recruit people as accomplices in ransomware (he didn’t admit it, but he also didn’t deny it). And, obviously, the author did NOT honor the request to hide the identity of the company.

The ransomware that would have been used in the attack is available on Github for free (ostensibly so that programmers can learn how to protect against it). An attacker such as this one doesn’t even need any technical programming skills – all he needs is the social engineering skills to find a willing accomplice.

Protecting against malicious insider attacks

What if you have a disgruntled employee – likely someone on their way out the door anyway – who is approached for a criminal scheme such as this one and decides to collaborate? What can you do to protect your company?

One of the principles of Zero Trust is to “assume breach.” You build protections into your system to minimize any damage that can be caused by a breach, whether it comes from an outside hacker or someone inside the organization.

Limiting each user’s access to only the data and apps they need to be able to do their jobs is one of the most important things a robust Zero Trust solution does. This approach is called “least privilege access.” Many companies attempt to implement a form of this concept using Role Based Access Control (RBAC), which assigns the same access privileges to all users with similar job descriptions. The problem with RBAC is that it tends to be overly broad: Not everyone with the same job title needs all of the same resources, so inevitably some employees will have access to resources they don’t actually need, which unnecessarily increases the “blast radius” of anything that goes wrong from a security perspective.

While the most secure way to implement least privilege access is on an individual basis, this granular approach is quite challenging. Manually creating policies for each user is very time-consuming and inefficient, and ensuring that the policies stay updated as users take on or shed responsibilities is a never-ending process. To address this issue, we included an innovative capability in our ZTEdge Zero Trust Cloud Security Platform that uses an AI-driven Automatic Policy Builder to customize access for each individual user automatically, and keep those policies current as user responsibilities change, employees leave and outside contractors complete their projects.

Least privilege access policies are enabled through a microsegmentation technique which limits lateral movement on networks. Together, individualized policies and strict microsegmentation controls are key to minimizing damage from either insiders or an outsider who breaches your defenses. Even if a malicious actor compromised one resource, damage would be limited.


Fortunately, this attempt at enticing disgruntled workers was so ham-handed that it is unlikely (but not impossible) that much damage was done. But it is just a matter of time before other cybercriminals adopt a similar tactic and refine it.

There is no way to provide 100% protection against a rogue employee or clever cybercriminals. But Zero Trust applications such as Zero Trust Network Access and Identity and Access Management, which enforce per user least privilege access controls through microsegmentation, can effectively contain and minimize damage from attacks.

Share this on:

Author Avatar

About Leo Versola

For over 25 years, Leo has executed on strategic business vision and technical leadership with a wide range of start-ups and established cybersecurity companies in various senior leadership roles. Leo’s expertise in enterprise, cloud and SaaS security enabled him to build and lead high-performance technical teams driving product development, technical innovation, and sales for a number of companies including VMware, Lastline, Zscaler, Barracuda Networks, Forcepoint, RedSeal Networks, Fortinet, Juniper, and NetScreen.

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.