"Ransomware: This Amateur Attack Shows How Clueless Criminals Are Trying to Get In on the Action"
Cybersecurity researchers at Abnormal Security have released details about an amateur ransomware campaign in which social engineering is used in an attempt to trick employees into installing DemonWare ransomware on their organization's network, in return for a cut of the potential ransom payment. DemonWare, also known as Black Kingdom or DEMON, is said to be one of the least sophisticated forms of ransomware. In this case, the attacker used LinkedIn and other publicly available information to identify potential victims. Then they reached out to the targets via email, asking them if they want to install DemonWare ransomware on their company's network for 40 percent of a $2.5 million ransom. The attacker gives an email address and a Telegram username for those interested in a cut to contact. The researchers used a fictitious persona to find out more about the campaign and the perpetrators behind it. It became apparent that those behind the ransomware campaign were not the most sophisticated as they quickly lowered the proposed cut of the ransom down to $120,000. The attacker claimed that the person who installs ransomware on the network would not be caught, saying DemonWare would encrypt everything, including CCTV files. This approach shows the attacker is not very familiar with the performance of digital forensics or incident response investigations. Further analysis of the files sent by the attacker confirmed that they were attempting to distribute a working version of DemonWare ransomware. The attacker also claimed to have written the ransomware themselves, but this was a lie as DemonWare is freely available on GitHub for download. This article continues to discuss findings surrounding the latest DemonWare ransomware campaign and how information security teams could protect networks from being compromised with ransomware.