The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

DoppelPaymer Ransomware Gang Threatening Victims

by Chris Brook on Thursday December 17, 2020

Contact Us
Free Demo
Chat

In a recent FBI note the agency outlined how DoppelPaymer ransomware attacks have impacted critical infrastructure - and the lengths the attackers have gone to get paid.

When it comes to ransomware, as if administrators don't have enough on their plates already with mitigating attacks in the first place, those whose organizations have been hit have had to deal with harassment.

In a recent note from the Federal Bureau of Investigation, the agency said that its seen cases where attackers behind the DoppelPaymer variant of ransomware have been calling victims directly, asking for them to follow through with paying the ransom. If the victims decline, the attackers threaten to release the organization's data.

The calls can be scary; in one instance an attacker used a fake US-based phone number, claiming to be from North Korea, and said the group was going to sell or leak the data if the business didn't pay. Then the attackers doubled down their efforts, threatening to send someone to the home of an employee - at which point the attackers gave the home address of an employee - before going onto call some of the employee's relatives.

These aggressive tactics aren’t necessarily new. We've seen a handful of groups recently - Sodinokibi, Maze, Sekhmet, Ryuk, Netwalker, Mespinoza, Conti, etc. - threaten to leak data, after threatening organizations. That's in addition to groups who come back a second time and ask for a second ransom, on top of the first.

According to reports, in September, a dentist's office in Georgia said it got a call from attackers who claimed to have hit their systems with Conti ransomware and then asked for a ransom.

According to the FBI, DoppelPaymer is actually one of the first groups to do this. According to the report - a Private Industry Notification or PIN, the FBI first saw examples of this in February 2020. The PIN goes on to detail DoppelPaymer attacks on healthcare, emergency services, and educational institutions dating back even further, to June 2019.

The FBI used the PIN to reiterate its stance that it doesn’t encourage paying a ransom. Doing so could tempt attackers to carry out future attacks, target other organizations, and not even necessarily allow an attacked organization to get their data back

In order to prevent attacks - like those involving DopplelPaymer - the FBI encourages organizations to do the following:

• Ensure backups are secure and are disconnected from the network at the conclusion of each backup session.
• Audit user accounts regularly, particularly Remote Monitoring and Management accounts that are publicly accessible. Patch operating systems, software, firmware, and endpoints.
• Monitor inbound and outbound network traffic; set alerts for data exfiltration.
• Apply two-factor authentication to user login credentials, receiving responses by text rather than email as actors may be in control of victim email accounts.
• Implement least privilege for file, directory, and network share permissions.

Tags: Ransomware

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.