Nigerian Threat Actor Tries to Recruit Disgruntled Employees to Conduct a Ransomware Attack on Their Employer

Researchers at Abnormal Security have identified an email campaign run by a Nigerian threat group that is advertising for individuals to take part in ransomware attacks in exchange for a cut of any ransom payments they help to generate. This tactic is nothing new, as many ransomware operations seek affiliates to conduct attacks for an exchange of the profits under the ransomware-as-a-service (RaaS) model. This campaign differs as it seeks insiders – Employees at large companies who are willing to use they access they have to corporate networks to install DemonWare ransomware.

DemonWare is known to be operated by a Nigerian threat group, which uses a variety of methods for installing the ransomware, most recently, exploiting unpatched vulnerabilities in Microsoft Exchange known as ProxyLogon.

According to Abnormal Security, the threat group is offering insiders the opportunity to earn $1 million in Bitcoin for deploying the ransomware on a computer or Windows server. The Nigerian threat group said in the emails that they have links to the operators of the ransomware – a threat group known as Black Kingdom. The high payment is based on an assumed ransom payment of $2.5 million, which is 40% of the ransom payment generated.

Abnormal Security Researchers responded to the email request and claimed they worked at a company and had access to a Windows Server, in order to learn more about the nature of the campaign. After communicating with the threat group over a 5-day period, they were supplied with links to two executable files that directed the researchers to the WeTransfer and file-sharing websites. After downloading the files they confirmed that one of the files was a ransomware sample.

The threat actor was willing to negotiate on their take of any ransom payment and encouraged the researchers throughout the exchange to go ahead with the attack, offering reassurance that they would not get caught as all files on their network would be encrypted, including any CCTV camera footage.

According to the researchers, their experiment provided new insights and contexts into how West African threat actors, especially those based in Nigeria, are increasingly using social engineering techniques in their attacks and that they are now branching out from conducting their usual phishing and scam email campaigns and BEC attacks.

Whether the threat actor would make good on the promise and provide payment after the ransomware is deployed is not known. Regardless of any reassurances, it would be the employee that would most likely be caught and brought to justice. The penalties for such an attack are severe.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of