DemonWare ransomware gang attempts to recruit disgruntled employees in insider threat scheme

According to a report by Abnormal Security, on August 12, 2021, their team identified and blocked a number of emails sent to customers soliciting them to become accomplices in an insider threat scheme. The goal was for them to infect their companies’ networks with ransomware. These emails allege to come from someone with ties to the DemonWare ransomware group.

DemonWare—also known as Black Kingdom and DEMON—has been around for a few years. Earlier this year, the ransomware was in the news when an actor tried to use it to exploit the significant Microsoft Exchange Vulnerability that was announced in March (CVE-2021-27065).

Here are the reactions of cybersecurity experts who weighed in on this rudimentary but nonetheless concerning tactic.

Tim Erlin, VP of strategy at Tripwire:

“There’s always been a blurry line between cyberattacks and social engineering, and this is an example of how the two are intertwined. As people become better at recognizing and avoiding phishing, it should be no surprise to see attackers adopt new tactics to accomplish their goals.

The idea of a disgruntled insider as a cybersecurity threat isn’t new. As long as organizations require employees, there will always be some insider risk. The promise of getting a share of the ransom might seem attractive, but there’s almost zero guarantee that this kind of complicity will actually be rewarded, and it’s highly likely that someone taking this attacker up on their offer would get caught.”

Roger Grimes, data-driven defense evangelist at KnowBe4:

“This is not the first instance I have heard about employees, disgruntled or not, being paid to place ransomware into their companies. The most famous one was the $1M promised to a Tesla employee. A Russian ransomware spreader was arrested in that case. The big question to ask is, how prevalent is it? Is it just a few here and there or is it more widespread than believed? I do not know the answer, but there has to be some takers. That is why it is always important that ransomware victims try their best to track down how the ransomware got into their environment. It is an important step. If you do not figure out how hackers, malware and ransomware are getting in, you are not going to stop them or their repeated attempts. Fortunately, we know the most common root cause, and it is not disgruntled employees. It is social engineering employees into running trojan horse programs or into providing their login credentials, followed by unpatched software. These two root causes account for likely 90% percent of all hacker and malware exploitations. You can defeat most social engineering that gets by your technical defenses by using security awareness training and MFA. You can worry about disgruntled employees, but while you are doing that, your loyal employee is getting socially engineered. That is your real problem.”

Niamh Muldoon, Global Data Protection Officer at OneLogin:

“In this case, the attacker attempted to recruit an insider to infiltrate the organisation. However, prior to this, the threat actor utilised Linkedin to collect target email addresses and leverage social engineering techniques to compromise accounts. This is a prevalent tactic in today’s digital transformation age, requiring individuals to be vigilant about protecting their digital identity and information assets.

Personal assessments of high value and/or high profile individuals need to focus on keeping their clients security aware, implement clear processes on how to deal and report phishing and implement technical controls to reduce associated risks materializing.

It is important that organisations and individuals know what they have, know where it is, know what it’s worth and determine how to protect it. Think of it from a security perspective first. By this we mean protecting unauthorised access to accounts and your data. Next, think of it from a privacy perspective: what data do we want to share and for what purpose.

To continue to protect digital identity online and reduce risk of account compromise, some key industry best practice actions are:

Key Personnel Actions:

  • Run an audit of the total number of devices and systems managed.
  • Securely dispose of unused and/or old devices.
  • Ensure two-factor authentication is applied on all apps, tools and logins.
  • Set strong/unique passwords, keep them safe and private.
  • Restrict access to others on a need-to-know basis.
  • Disable Bluetooth and GPS whenever possible.
  • Apply the highest privacy settings available.
  • Apply all updates and patches as they become available.
  • Actively manage online presence and social media.
  • Enable monitoring and alerting for all social media and online accounts.
  • Require all account changes be subject to authorization via strong two-factor authentication.
  • Set contact preference for your monitoring and alerting.”