The hacker behind the plan to recruit disgruntled employees to spread the ransomware appears to be an amateur who may have exposed his identity,
Is the hacker behind the recent ransomware scheme really a Nigerian CEO desperate for funding? Anti-phishing company Uncommon Security uncovered a strange phenomenon while investigating a ransomware campaign targeting its customers.
Last week, Unusual Security detected and blocked several phishing emails that are trying to recruit company employees to install ransomware on their corporate networks. The criminal behind the email promised to deduct $1 million in bitcoin, or 40% of total earnings. The same email also contained an email address and Telegram and WhatsApp numbers to contact the author.
However, the hacker behind this scheme appears to be an amateur who may have unknowingly revealed his identity. To investigate, Unusual Security created a fake persona and began communicating with the author of the phishing email.
The criminal ended up sharing links to ransomware executable files that could be installed on Windows Server. But during the conversation the attacker also revealed the motive behind his plan. "I just need some funds to start my own company," he wrote.
The hacker revealed even more personal information after Unusual Security wrote back, saying it was concerned that the whole scheme was a prank. “He confirmed that he was based in Nigeria and was trying to build an African social networking platform, jokingly that he was the ‘next Mark Zuckerberg.’” He also provided a link to his LinkedIn profile containing his full name, "Unusual security threat intelligence director Crane Hassold wrote in the report.
Unusual protection also led to searches on the open web for contact details left in phishing emails. The research led the company to obtain information on a currency trading site and a Russian social media platform linking contact details from a Nigerian user.
“Knowing that the actor is Nigerian really brings the whole story full circle and provides some remarkable context for the tactics used in the initial email we identified,” Haasold wrote. “For decades, West African scammers based primarily in Nigeria have proven the use of social engineering in cybercrime activity.”
Indeed, Nigerian fraudsters have been tied to stealing millions from unsuspecting victims through fake emails and online romance scams. However, the culprit behind this particular scheme was no expert when it came to ransomware. For example, the malicious files provided were actually traced back to a freely available ransomware demo on GitHub.
At one point, Unusual Security even raised concerns about being caught while installing ransomware on company servers. In response, the hacker said that the upcoming attack would "cripple" all surveillance cameras on the corporate network. The hackers then encouraged Unusual Security to remove the ransomware package by sending it to the Recycle Bin after installation, apparently unaware that a digital forensic investigation could still uncover traces of the infection vector.
Security journalist Brian Krebs has identified the LinkedIn profile that the hacker shared with Unusual Security. It belongs to a Nigerian man named Oluwaseun Medayedupin, who lists himself as the CEO of the social networking site Sociogram. Meddupin, however, denies any involvement in the scheme.
"All the allegations are false and false," he told PCMag via a LinkedIn message.
It is certainly possible that the author behind the phishing email chose Meddupin's LinkedIn profile to hide his true identity. Still, the campaign highlights the danger of hackers trying to recruit disgruntled employees to carry out their plans. Last year, the FBI charged a Russian citizen with trying to pay a Tesla employee to put malware into the US automaker in an attempt to steal corporate data.