Nigerian threat actor attempting to recruit employees by offering them to pay $1 million in Bitcoin to deploy Black Kingdom ransomware on companies.

The sender tells the employee that if they able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in Bitcoin or 40% of the presumed $2.5 million ransom. The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested an Outlook email account and a Telegram username.

Black Kingdom, also widely known as DemonWare, caught the attention of the researchers when attackers were found abusing ProxyLogon vulnerabilities affecting Microsoft Exchange Servers to infect an unpatched system with the ransomware strains.

Researchers created a fake identity to communicate with the ransomware operator who went by the screen name “Pablo”communicated with the ransomware operator via telegram and was able to talk the mastermind into sending what turned out to be a file named “Walletconnect (1).exe” containing the ransomware.

The use of the DemonWare malware “demonstrates the appeal of ransomware-as-a-service, as it lowers the barrier of entry for less technically sophisticated actors to get into the ransomware space”.

Researchers believe the operator with was likely Nigerian, based on information found on a Naira (Nigerian currency) trading website and a Russian social media platform website.A signature style of Nigerian fraudsters is social engineering, most infamously in the “Nigerian prince” schemes in which scammers attempt to lure victims to send money under another guise.