Threat Actors Offer $1M to Employees for Deploying Ransomware

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

Researchers at Abnormal Security have spotted and thwarted a number of attempts earlier this month to solicit some of their customers’ employees to install DemonWare ransomware for $1 million in bitcoin. The threat actors responsible for the attempted attack said they are linked to the DemonWare ransomware group, also known as Black Kingdom or DEMON.

“On August 12, 2021, we identified and blocked a number of emails sent to Abnormal Security customers soliciting them to become accomplices in an insider threat scheme. The goal was for them to infect their companies’ networks with ransomware,” wrote Crane Hassold in a blog.

In this latest ransomware email campaign, the employees received a message telling them that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin. This amounts to 40% of the total $2.5 million demanded ransom.

The email added that the ransomware could be launched physically or remotely and provided two methods to contact the threat actors: An Outlook email account and a Telegram username.

DemonWare is a Nigeria-based ransomware group that has been operating for a few years and has been seen most recently launching a barrage of attacks whose target was Microsoft Exchange’s ProxyLogon set of vulnerabilities.

Ransomeware attacks are quite popular. Just last July, a colossal ransomware attack hit hundreds of businesses in 17 countries. The question then becomes: Should companies pay up to deal with these attacks?

A study found that over half of ransomware victims paid the ransom to restore their data. The reasons for paying the ransom were many, with one of the main ones being that access to data is of crucial importance and cannot be risked.

Luckily, in this case, the attack was thwarted before it even began, allowing this business to keep its money where it belongs: In its own accounts.