Friday, March 29, 2024

Ransomware Gang Seeking Helping From Insider Threat to Deploy The Ransomware on the Systems

The security analysts at Abnormal Security classified and blocked a number of uncertain emails recently that were sent to the customers of Abnormal Security security firm.

They detected that all the blocked emails were asking the customers of Abnormal Security to become a coordinator of an insider threat or ransomware scheme.

Here, the primary goal of the threat actor is to lure the customers with lucrative threat scheme incentives and then deploy their ransomware to infect their companies’ networks.

Apart from all these things the analysts have indicated that all blocked emails have come from someone who has links with the DemonWare ransomware group.

Sending the Ransomware Request 

This is one of the latest campaigns that has been implemented by the threat actors. However, in this campaign, the sender determines the employee that if they can dispose of the ransomware on a company computer or Windows server.

In case if they can convince the targeted associate then they would be compensated with $1 million in bitcoin or 40% of the assumed $2.5 million ransom.

Moreover, the employee has been told that if they want to do so, then in that case they can launch the ransomware physically or remotely. 

After investigating the attack, the experts claimed that this ransomware has been distributed through email attachments, as well as using direct network access that was generally achieved via unsecure VPN accounts or software vulnerabilities. 

Finding the Insider 

Throughout a lengthy conversation with the attacker, the Abnormal Security expert asked the threat actor that what we needed to do to help?

After the email, the threat actors responded in just a half-hour and repeated that what was involved in the initial email, and it is followed by a question regarding whether we would be capable to access the fake company’s Windows server or not.

After investing in the ransomware, the threat actor has sent the experts two links for an executable file that could get download on WeTransfer or Mega(.)nz, these two are the file-sharing sites.

Here, the file was named “Walletconnect (1).exe” and based on an examination of the file they were able to authenticate the ransomware.

Finding Targets Through Social Networks

According to the investigation report, in this campaign, the threat actors get their target’s contact information from the professionals’ social networking site, LinkedIn.

And not only LinkedIn, along with it, they also find their targets from similar commercial services that offer the same type of information, as all these platforms are the most common targets for the threat actors to get information like this.

While apart from this, on further investigation the researchers detected that the threat actor is a Nigerian since they found traces of Nigerian currency.

Not only that even during their conversation the actor confirmed that he is from Nigeria and mimicked his name as “the next Mark Zuckerberg.”

So, this event clearly depicts that this type of attack or other malware intrusions is rare.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Website

Latest articles

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles