When it comes to ransomware, as if administrators don't have enough on their plates already with mitigating attacks in the first place, those whose organizations have been hit have had to deal with harassment.
In a recent note from the Federal Bureau of Investigation, the agency said that its seen cases where attackers behind the DoppelPaymer variant of ransomware have been calling victims directly, asking for them to follow through with paying the ransom. If the victims decline, the attackers threaten to release the organization's data.
The calls can be scary; in one instance an attacker used a fake US-based phone number, claiming to be from North Korea, and said the group was going to sell or leak the data if the business didn't pay. Then the attackers doubled down their efforts, threatening to send someone to the home of an employee - at which point the attackers gave the home address of an employee - before going onto call some of the employee's relatives.
These aggressive tactics aren’t necessarily new. We've seen a handful of groups recently - Sodinokibi, Maze, Sekhmet, Ryuk, Netwalker, Mespinoza, Conti, etc. - threaten to leak data, after threatening organizations. That's in addition to groups who come back a second time and ask for a second ransom, on top of the first.
According to reports, in September, a dentist's office in Georgia said it got a call from attackers who claimed to have hit their systems with Conti ransomware and then asked for a ransom.
According to the FBI, DoppelPaymer is actually one of the first groups to do this. According to the report - a Private Industry Notification or PIN, the FBI first saw examples of this in February 2020. The PIN goes on to detail DoppelPaymer attacks on healthcare, emergency services, and educational institutions dating back even further, to June 2019.
The FBI used the PIN to reiterate its stance that it doesn’t encourage paying a ransom. Doing so could tempt attackers to carry out future attacks, target other organizations, and not even necessarily allow an attacked organization to get their data back
In order to prevent attacks - like those involving DopplelPaymer - the FBI encourages organizations to do the following:
• Ensure backups are secure and are disconnected from the network at the conclusion of each backup session.
• Audit user accounts regularly, particularly Remote Monitoring and Management accounts that are publicly accessible. Patch operating systems, software, firmware, and endpoints.
• Monitor inbound and outbound network traffic; set alerts for data exfiltration.
• Apply two-factor authentication to user login credentials, receiving responses by text rather than email as actors may be in control of victim email accounts.
• Implement least privilege for file, directory, and network share permissions.
