The scam involved attempts to hire insiders to install DemonWare ransomware on their employer’s IT systems.
A Nigerian citizen, deemed a key suspect in the Ransom Your Employer scheme, was arrested Friday. Reportedly, through the scheme, the scammers deployed ransomware on employers’ systems.
According to a report from KrebsOnSecurity’s Brian Krebs, published on Nov 22, Oluwaseun Medayedupin was arrested by law enforcement authorities in Nigeria for his alleged connection to the infamous Ransom Your Employer scheme. The 23-year-old schemer is expected to be charged this week.
About Ransom Your Employer Scheme
KrebsOnSecurity’s Brian Krebs warned in August that scammers are unleashing ransomware inside their employer’s network and offering a percentage of the ransom amount paid by the employer in exchange.
Abnormal Security later investigated this scheme and reported that a cybersecurity firm’s customers received emails with the subject line Partnership affiliate offer. The recipient was asked to become an accomplice in a cyberattack and offered a 40% cut in an expected $2.5 million ransomware payment in Bitcoin.
For their share, the recipient had to install the DemonWare ransomware on their employer’s IT systems. Interested parties received an MS Outlook email ID and Telegram handle.
How Was Schemer Arrested?
When Abnormal Security’s director of threat intelligence Crane Hassold contacted the sender under the guise of an interested party, he received a ransomware executable hosted on two different file-sharing websites.
Later, the payment share was reduced to $120,000 — $250,000 after he contacted the scheme’s operator.
Further probe revealed that the ransomware scheme might have a Nigerian origin. Threat actor shared that he wanted to build Sociogram, a social networking platform for Africa. Medayedupin even shared his LinkedIn Profile that contained his full name.
Additionally, he told them that he was gathering information from LinkedIn apart from other commercial services offering similar information and collecting funds for this new social network.
Hassold wrote that the schemer “had originally intended to send his targets — all senior-level executives — phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext.”
After Abnormal Security’s report was published, Medayedupin contacted Krebs and requested to remove Sociogram’s name from the story and not harm its reputation. However, he didn’t confirm or deny Hassold’s findings.
“Please don’t harm Sociogram’s reputation. I beg you as a promising young man,” the Sociogram founder requested.
In November, Nigerian authorities arrested the schemer.