A Nigerian cybercrime threat actor has been observed attempting to recruit employees by offering them to pay $1 million in bitcoins to deploy Black Kingdom ransomware on companies’ networks as part of an insider threat scheme.

At the beginning of October, a cybercrime threat actor under the handle of “NigerianPrince” was observed offering $1 million in Bitcoin to an individual via Dark Web email provider Sigsaint. The email came with an attachment containing a brochure and a non-executable encrypted archive.

The document included profiles of two individuals on the job market who were presented as insiders willing to deploy ransomware on companies’ systems for financial gain. Both individuals have been involved in attacks conducted by threat actors behind ransomware campaigns like Black Rose, iCrypter and Apocalypse.

The two profiles that were in the archive contained brief resumes focusing on credentials, name, and email information including full names, date of birth, and picture. The resume for the first individual stated various credentials including a custodian role in a business process outsourcing company and the ability to install malware.

The second resume outlined various credentials like an IT administrator’s position at an energy company and servers are administration.

In both documents, one of the two individuals was reported to be available to use “all means” including malware installation on company networks. The deal was advertised to run for two weeks from October 7th, 2017, and October 14th, 2017. At that point in time, neither party had made any payments yet but both said they would.

Cybercrime security researcher Dominik Schiener from the security firm MalwareMustDie investigated both profiles and found the two individuals had not been involved in any previous attacks or incidents. The uploaded files contained zip archives with non-executable files that were to be unarchived by using the password “real”.

After connecting these two individuals to other cybercrime threat actors, like Cyber Hunta and North Waziristan Pakistani Hacker, Schiener started paying attention to their activities. Around the same time of uploading a ZIP archive containing a brochure and resume for an insider threat scheme, NigerianPrince was observed posting a new Bitcoin address on Dark Web marketplace Sibirt.

The ransomware group asking insiders to plant Black Kingdom ransomware on corporations’ networks is not very active. Activity between October 9th and October 22nd shows an email address affiliated with the group attempting to get in touch with someone for a job. This was followed up by another attempt to contact the potential insider threat actor on October 20th, 2017. The group is offering $100,000 in Bitcoin for such a task. An excerpt of the email and a list of indicators related to this campaign are available at the end of this article.

Following these attempts by the Nigerian Prince, there has been another attempt to hire an insider threat actor via Dark Web forums. This time, no listings were found but the potential candidate was asked to get in touch via email. The name and email address do not match previous attempts. The name of the potential insider threat actor is “NigerianPrince2” and can be contacted at nigerianprince2@sigaint.org.

MalwareMustDie researchers are observing a trend where threat actors are willing to pay employees with access to internal systems to plant malware on those networks rather than compromise servers directly.

Both insiders are reported to have visited a number of websites that are either promoting the WannaCry ransomware or offer services similar to the infamous Black Lotus toolkit. Cyber Hunta has also appeared in a number of posts on many other forums discussing the price per infected machine and how they could be used in an insider threat scheme.

The leaked brochure described a model where an insider would be given the opportunity to install Black Kingdom ransomware via their own malware, leaving it up to them if they kept the payment or not. It also explained how each user is assigned a unique Bitcoin wallet address that would be used to receive payments.

The brochure says that if the insider threat actor does not have malware of their own or wants to use one of the group’s custom-made tools, they would be given a customized version of Black Kingdom ransomware with an associated bitcoin wallet. It also covered how the threat actor would receive regular payments and how they could opt out of the offer and keep the bitcoins.

According to the brochure, the scheme would pay $100 dollars per machine infected by Black Kingdom ransomware. The scheme details how a potential insider threat actor can choose their own bitcoin wallet address and how the payment system could be customized at any time.

The information in this article has been extracted from several forums and Dark Web markets. However, we are not aware of any payment requests made by this group. The profiles of the two individuals mentioned in this article have not been found in any other pre-existing threat actor profiles.

Black Kingdom is a ransomware malware family that was first spotted in January 2017. It is not known how exactly Black Kingdom works but it closely resembles how Hermes ransomware works. Like Hermes, Black Kingdom uses AES encryption and appends the file extension “.raptor”. Both families also rely on Tor to contact the command and control server.

Interested in reading more about cybercrime in businesses? Cyber-Attack Groups In Ransomware Web discusses the individuals and groups involved in the ransomware attacks and how they are joining together. Also, our recent article, Insider Threat – Just as Dangerous as Hackers discusses just how serious an insider threat may be for any business.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, cybercrime

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.