Ransomware Attacker Offers Employees a Cut if They Install DemonWare on Their Organization’s Systems


It may seem impossible to think that your employees or peers could knowingly compromise the security of your business. However, according to the 2021 Insider Threat Report by Cybersecurity Insiders, 57% of organizations feel insider threats have become more common in the last year. Furthermore, as many as 22% of all cybersecurity incidents can be traced back to insider threats, according to Verizon.

In recent years, we’ve seen ransomware gangs employ evermore creative techniques to carry out their attacks. This one might just be the most inventive example of them all.


Developing an effective response capability to ransomware requires taking specific steps for prevention, preparation, detection, verification, containment, eradication, and recovery. With LIFARS Ransomware Response Package, you will have the tools, processes, and team at your disposal to stand ready for even the most devious ransomware attack.


While this specific TTP may be novel, it’s not completely without precedent. Depending on how you look at it, it might just be part of the natural evolutionary chain of ransomware cybercrime.

For one, “crowdfunded” ransomware attacks have been a thing for some time. This is when ransomware gangs make their software available for use by others. The ransomware can be deployed by the group/individual who approached the gang either by paying the gang an upfront fee or by giving them a cut of their earnings. Or, groups/individuals can be given a commission by ransomware gangs for pointing them towards potential targets.

Secondly, cybercriminals, in general, have been quick to exploit individuals as vulnerable entry points through businesses’ security perimeters. In fact, the same 2021 Data Breach Investigations Report by Verizon found that a staggering 85% of breaches involved the human element. However, the usual route is by trying to convince employees to download the malware through phishing emails, spoofed domains, or various other social engineering tactics.

Now, some ransomware gangs are attempting to take the shortest route through a company’s security systems by trying to compromise their staff directly.

Crane Hassold, director of threat intelligence for email security firm Abnormal Security, has been acting undercover as a rogue employee, liaising with a ransomware actor he believes is a Nigerian-based business email compromise (BEC) scammer.

This follows an actual attempt last year by Egor Igorevich Kriuchkov, 27, a citizen of Russia and cybercriminal to coerce a Tesla employee to deploy ransomware on their systems by offering the employee a $1m bribe. Luckily for Tesla, the employee worked with the FBI to build a case against the cybercriminal and bring him to justice.

This particular scammer seems to have developed a process used to carry out this attempted coercion. Firstly, he emails employees of a particular company, offering them a $1m (40% of $2.5m) bounty simply for downloading and installing the DemonWare ransomware. The attacker will provide the employee with an Outlook email address or Telegram account to stay in contact.

Demonware, also called Black Kingdom, is ransomware with its source code publicly available on GitHub. This particular ransomware has gained notoriety for commonly being used to exploit the ProxyLogon (CVE-2021-27065) vulnerability.

While it’s unclear how prevalent this TTP is in the wild, it just once again goes to show the lengths ransomware gangs will go to carry out their attacks. To a degree, it seems like ransomware actors are themselves testing the waters to try and see whether it’s a viable attack vector.

In the meantime, organizations should do everything in their power to protect themselves against all variants of ransomware attacks. Today, that means implementing proper endpoint and email security solutions as well as to properly train and educate their employees about cybersecurity threats.




Russian National Arrested For Conspiracy To Introduce Malware Into A Nevada Company’s Computer Network

Verizon – 2021 Data Breach Investigations Report

Cybersecurity Insiders – 2021 Insider Threat Report