DemonWare Ransomware

DemonWare Ransomware Description

The DemonWare Ransomware (also known as the Black Kingdom and DEMON) is designed to lock targeted filetypes by using an uncrackable cryptographic algorithm. Although the threat is not among the most sophisticated ransomware out there, definitely, it can still get the job done if it is delivered to the computer of potential victims successfully. It should be noted that the author of this particular threat has made it available to the public by uploading the code on GitHub. 

The files affected by the threat will have '.DEMON' appended to their original names as a new extension. Upon completing its encryption process, the DemonWare Ransomware delivers an identical ransom note as a pop-up window and inside a text file named 'README.txt.' The base version of the threat didn't ask for money to unlock the encrypted data. Instead, it directs its victims to open the link mentioned in the ransom note and search the website for their specific key. The notes warn that victims have 10 hours to unlock their files after the encrypted data will become unsalvageable. 

DemonWare is Used in an Amateurish Attack Scheme

Ransomware attacks have become a lucrative prospect for cybercriminals. Multiple ransomware gangs were able to breach high-profile organizations and receive millions to free up the encrypted systems. Other hacker gangs decided to take more of a backseat and offer fully-fledged ransomware threats in a RaaS (Ransomware-as-a-Service) scheme. In short, they provide the malware arsenal in exchange for a cut of the eventual ransom, while their 'clients' are responsible for the actual attacks. 

With several ransomware breaches being covered by the mainstream media, it appears that now all manner of wanna-be criminals are becoming tempted to try their chances. One such attack operation uncovered by infosec researchers attempted to use social engineering tactics to deliver the DemonWare Ransomware. Well, the term 'social-engineering tactics' is used here rather loosely - the attacker found potential targets via LinkedIn and other publicly available sources and messaged them directly. The employees were asked if they would be willing to deliver the ransom threat to their organization's internal network in exchange for a million dollars, a 40% cut of the potential 2.5 million ransom that the attacker was going to demand. 

While this particular attempt is extremely unlikely to ever succeed, it does highlight potential security risks that organizations may need to take into account when building their cybersecurity plan.