{"id":2925,"date":"2021-08-21T13:44:29","date_gmt":"2021-08-21T08:14:29","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=2925"},"modified":"2021-08-21T13:44:31","modified_gmt":"2021-08-21T08:14:31","slug":"how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/","title":{"rendered":"How a Group of Attackers are asking Employees for Help in planting Ransomware?"},"content":{"rendered":"\n

A Nigerian attacker has been seen attempting to recruit employees by offering them to pay $1 million in bitcoins to setup Black Kingdom ransomware on an organization’s networks as part of an insider threat scheme.<\/p><\/p>\n\n\n\n

\u201cThe sender tells the employee that if they are able to setup ransomware on an organization computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million of ransom.\u201d \u201cThe insiders is told they can setup the ransomware physically or remotely. The sender provided two ways to connect them if the insider is interested\u2014an Outlook email account and a Telegram username.\u201d    <\/p><\/p>\n\n\n\n

The Black Kingdom, also known as DemonWare and DEMON, is in the limelight earlier this March when the attackers were discovered harming ProxyLogon bugs impacting Microsoft Exchange Servers to harm unpatched systems with the ransomware injure.<\/p><\/p>\n\n\n\n

Security researchers, which analyze and blocked the phishing emails on August 12 reverted to the solicitation attempt by generating an apocryphal persona and reached out to the threat actor on Telegram messenger, only to have the individual inadvertently spill the attack\u2019s modus operation, which consists of two distinct links for an executable ransomware payload that the \u201cemployee\u201d could download.<\/p><\/p>\n\n\n\n

How do threat actors Manipulate the Insiders?<\/strong><\/h2>\n\n\n\n

\u201cThe threat actor also suggested us to dispose of the .EXE file and delete it from the recycle bin. Based on the threat actor\u2019s revert, it looks clear that he might expects an insider to have physical access to a server or he\u2019s not well-known with digital forensics or incident response researches.\u201d    <\/p><\/p>\n\n\n\n

\"How-a-Group-of-Attackers-are-asking-Employees-for-Help-in-planting-Ransomware-image1\"<\/figure><\/div>\n\n\n\n

Besides taking a malleable approach to their ransom demands, the plan is believed to have been contriving by the chief executive of a Logas-based social networking startup called Sociogram, to use the siphoned funds to \u201cestablish my own company.\u201d In one of the discussions that took place over around five days, the individual even took to calling himself \u201cthe next Mark Zuckerberg.\u201d<\/p><\/p>\n\n\n\n

How do they Collect Insiders Information?<\/strong><\/h2>\n\n\n\n

Also of particular note is the method of using LinkedIn to collect corporate email addresses of senior-level executives, once again highlighting how business email compromise (BEC) attacks originating from Nigeria continue to evolve and expose businesses to sophisticated attacks like ransomware.<\/p><\/p>\n\n\n\n

“There’s always been a blurry line between cyberattacks and social engineering, and this is an example of how the two are connected. As almost people become better at recognizing and avoiding phishing, it should be no surprise to see attackers adopt new tactics to accomplish their goals,” Tim Erlin, vice president of product management and strategy at Tripwire, said.<\/p><\/p>\n\n\n\n

“The concept of a disgruntled insider as a cybersecurity threat isn’t new. As long as organizations require employees, there will always be some insider risk. The promise of getting a share of the ransom might seem attractive, but there’s almost zero guarantee that this kind of complicity will actually be rewarded, and it’s notably likely that someone taking this attacker up on their proposal would get taken,” researchers added.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"

A Nigerian attacker has been seen attempting to recruit employees by offering them to pay $1 million in bitcoins to setup Black Kingdom ransomware on an organization’s networks as part of an insider threat scheme. \u201cThe sender tells the employee that if they are able to setup ransomware on an organization computer or Windows server, then […]<\/p>\n","protected":false},"author":2,"featured_media":2928,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[15],"tags":[],"yoast_head":"\nHow a Group of Attackers are asking Employees for Help in planting Ransomware? - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How a Group of Attackers are asking Employees for Help in planting Ransomware? - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"A Nigerian attacker has been seen attempting to recruit employees by offering them to pay $1 million in bitcoins to setup Black Kingdom ransomware on an organization’s networks as part of an insider threat scheme. \u201cThe sender tells the employee that if they are able to setup ransomware on an organization computer or Windows server, then […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-21T08:14:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-21T08:14:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/How-a-Group-of-Attackers-are-asking-Employees-for-Help-in-planting-Ransomware-image2.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"How a Group of Attackers are asking Employees for Help in planting Ransomware?\",\"datePublished\":\"2021-08-21T08:14:29+00:00\",\"dateModified\":\"2021-08-21T08:14:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/\"},\"wordCount\":516,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Infosec News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/\",\"url\":\"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/\",\"name\":\"How a Group of Attackers are asking Employees for Help in planting Ransomware? - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-08-21T08:14:29+00:00\",\"dateModified\":\"2021-08-21T08:14:31+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How a Group of Attackers are asking Employees for Help in planting Ransomware?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How a Group of Attackers are asking Employees for Help in planting Ransomware? - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/","og_locale":"en_US","og_type":"article","og_title":"How a Group of Attackers are asking Employees for Help in planting Ransomware? - Xiarch Solutions Private Limited","og_description":"A Nigerian attacker has been seen attempting to recruit employees by offering them to pay $1 million in bitcoins to setup Black Kingdom ransomware on an organization’s networks as part of an insider threat scheme. \u201cThe sender tells the employee that if they are able to setup ransomware on an organization computer or Windows server, then […]","og_url":"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-08-21T08:14:29+00:00","article_modified_time":"2021-08-21T08:14:31+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/How-a-Group-of-Attackers-are-asking-Employees-for-Help-in-planting-Ransomware-image2.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"How a Group of Attackers are asking Employees for Help in planting Ransomware?","datePublished":"2021-08-21T08:14:29+00:00","dateModified":"2021-08-21T08:14:31+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/"},"wordCount":516,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Infosec News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/","url":"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/","name":"How a Group of Attackers are asking Employees for Help in planting Ransomware? - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-08-21T08:14:29+00:00","dateModified":"2021-08-21T08:14:31+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/how-a-group-of-attackers-are-asking-employees-for-help-in-planting-ransomware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How a Group of Attackers are asking Employees for Help in planting Ransomware?"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2925"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=2925"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2925\/revisions"}],"predecessor-version":[{"id":2929,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2925\/revisions\/2929"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/2928"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=2925"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=2925"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=2925"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}