‘Pablo’, a Nigerian man who wanted to develop a social network for Africa, tried to fund his startup with ransom amounts from ransomware attacks. He actively approached employees of other companies with the question whether they could install ‘his’ ransomware on their employer’s Windows server. In return, he promised them one million dollars in bitcoin.
Cybersecurity company Abnormal Security has written a detailed blog about this particular case. Because the man sent e-mails to customers of the company, they were able to intercept the messages. To learn more about the Nigerian entrepreneur’s way of working, security researchers decided to pretend they were willing to install the ransomware.
The attacker initially tried to install ransomware on his targets on his own . Before that, he sent phishing emails with malicious attachments to high-ranking employees, with the aim of taking over their accounts. To radiate authority, he pretended to be the director of a company. This form of cybercrime is also known as CEO fraud or Business Email Compromise (BEC).
His plan failed every time. That’s why ‘Pablo’ decided to take a different approach. He approached customers of security company Abnormal Security by e-mail. In the email, he indicated that he was looking for employees who had ‘physically or remotely’ access to their boss’s Windows server to install DemonWare ransomware. In return, the attacker promised to transfer 40 per cent or one million dollars worth of bitcoin to him. Interested parties could contact him through his Outlook.com email address or Telegram account.
Employees of Abnormal Security saw the emails from the man and decided to play the game. They created a fictitious person and emailed the man what they could do to help. Within half an hour they received a response from ‘Pablo’. He asked if the employee actually had access to their boss’s Windows server. He assured ‘Pablo’ that this was no problem. The Nigerian man then sent two executables. Analysis by the security company showed that it was indeed ransomware.
‘Pablo’ hoped to make large sums of money from his ransomware attacks, but he quickly dropped that idea. Initially, he wanted to rake in $ 2.5 million, but after a few conversations with Abnormal Security, his ransom demand dropped to $ 120,000. Even when the fictitious employee said his employer had $50 million in annual sales, he stuck with that amount. “I just want to be a little considerate to him,” he defended his ransom demand.
To appear credible, the fictitious employee asked if his boss wouldn’t find out that he was responsible for the ransomware attack. ‘Pablo’ then assured him that his ransomware would erase all traces. However, the attacker had to delete the executables and remove them from the recycle bin.
When asked if ‘Pablo’ had developed the ransomware himself, he replied that he had ‘programmed the software with Python’. According to the cybersecurity company, this reading is incorrect. DemonWare is available to everyone on GitHub. In fact, this ransomware was widely used when Microsoft announced in March that Exchange Server contained four zero-day exploits.
The security guards were curious how the man got the contact details of his targets. They decided to ask him this directly. The Nigerian man said he used LinkedIn and “commercial services” that sell such information. He also said that he worked from Nigeria to set up a social network for the African continent. He said he would be “the next Mark Zuckerberg.” He even sent his LinkedIn profile to the made-up employee. That he regretted this is evident from the fact that he deleted these messages at a later date.
How the story ends exactly, Abnormal Security leaves open. The company does say that they managed to keep the Nigerian ‘entrepreneur’ on a leash for five days. And that was not for nothing. “Because we were able to engage with him, we were able to understand his motivation and tactics,” the company wrote in its blog. “Using these unique intelligence-gathering methods, we are able to gain a deeper understanding of upcoming cyber threats and better protect our customers.”
Catch up on more articles here
Follow us on Twitter here