Suspect arrested in 'ransom your employer' criminal scheme

The man at the heart of the 'business' allegedly wanted cash to fund a new social network project.
Written by Charlie Osborne, Contributing Writer

A Nigerian man has been arrested in connection to a scheme attempting to lure insiders to deploy ransomware on employer systems.

On November 22, security expert Brian Krebs reported that the man, Oluwaseun Medayedupin, was arrested by Nigerian authorities on Friday. 

The suspect is allegedly linked to a 'ransom your employer' scheme investigated by Abnormal Security in August. 

Customers of the cybersecurity firm were sent emails with the subject "Partnership affiliate offer," requesting that the recipient considered becoming an accomplice in a cyberattack. 

The emails offered a 40% cut of an anticipated $2.5 million ransomware payment in Bitcoin (BTC), made after the recipients installed the DemonWare ransomware on their employer's systems. 

A Microsoft Outlook email address and Telegram handle were provided for interested parties. Abnormal Security researchers reached out under the guise of a fictional person and confirmed they were sent a ransomware executable hosted on two file-sharing websites.

However, the ransomware 'cut' on offer was reduced to between $120,000 -- $250,000 once the team began communicating with the scheme's operator.   

The team suspected the ransomware initiative may be of Nigerian origin. When queried, the threat actor said he was attempting to build a social network for Africa called Sociogram and shared his LinkedIn profile containing his full name.  

"According to the actor, he collects his targeting information from LinkedIn, which, in addition to other commercial services that sell access to similar data, is a common method scammers use to obtain contact information for employees," Abnormal Security said. "[...] he had originally intended to send his targets -- all senior-level executives -- phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext."

Medayedupin then reached out to Krebs following his report, asking that the name Sociogram be removed, but at the same time, neither confirming nor denying Abnormal Security's investigation. Another message followed via a domain registrar, calling "Mr. Krebson" a "clout chasing monger."

Charges are expected to be brought against Medayedupin, reportedly 23 years of age, this week. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards