Is the hacker behind a recent ransomware scheme actually a Nigerian CEO desperate for funding? Anti-phishing company Abnormal Security uncovered the bizarre incident while investigating a ransomware campaign targeting its clients.
Last week, Abnormal Security detected and blocked a number of phishing emails that’ve been trying to recruit company employees into installing ransomware on their corporate networks. The culprit behind the emails promised accomplices $1 million in Bitcoin, or a 40% cut of the total earnings. The same emails also contained an email address and Telegram and Whatsapp numbers to contact the author.
However, the hacker behind the scheme appears to be an amateur, who may have unwittingly exposed his own identity. To investigate, Abnormal Security created a fake persona and began communicating with the phishing email’s author.
The culprit ended up sharing links to ransomware executable files that could be installed on a Windows server. But during the conversations, the attacker also revealed his motives behind his scheme. “I just need some funds to build my own company,” he wrote.
The hacker then revealed even more personal information after Abnormal Security wrote back, saying it was worried the whole scheme was a prank. “He confirmed that he was located in Nigeria and was trying to build an African social networking platform, joking he was ‘the next Mark Zuckerberg.’ He also provided a link to his LinkedIn profile containing his full name,” Abnormal Security’s director of threat intelligence, Crane Hassold, wrote in the report.
Abnormal Security also began searching on the open web for the contact details left in the phishing email. The research led the company to spot information on a currency trading site and a Russian social media platform connecting the contact details to a Nigerian user.
“Knowing the actor is Nigerian really brings the entire story full circle and provides some notable context to the tactics used in the initial email we identified,” Hassold wrote. “For decades, West African scammers, primarily located in Nigeria, have perfected the use of social engineering in cybercrime activity.”
Indeed, Nigerian fraudsters have been tied to stealing millions from unsuspecting victims through fake emails and online romance scams. However, the culprit behind this particular scheme was no expert when it came to ransomware. For example, the malicious files provided were actually sourced back to a freely available ransomware demo on GitHub.
At one point, Abnormal Security also expressed concerns about being caught while installing the ransomware on a company server. In response, the hacker said the ensuing attack would “cripple” all surveillance cameras on the corporate network. The hacker then encouraged Abnormal Security to simply delete the ransomware package after installation by sending it to the recycle bin, apparently unaware a digital forensic investigation could still uncover traces of the infection vector.
Security journalist Brian Krebs has identified the LinkedIn profile that the hacker ended up sharing to Abnormal Security. It belongs to a Nigerian man named Oluwaseun Medayedupin, who lists himself as CEO of the social networking site Sociogram. However, Medayedupin is denying any involvement in the scheme.
“All the allegations are false and inaccurate,” he told PCMag through a LinkedIn message.
It’s certainly possible the author behind the phishing email selected Medayedupin’s LinkedIn profile to mask his real identity. Nevertheless, the campaign highlights the threat of hackers trying to recruit disgruntled employees into perpetrating their schemes. Last year, the FBI caught a Russian citizen trying to pay a Tesla employee to plant malware at the US automaker in an effort to steal corporate data.