DoppelPaymer ransomware actors recently targeted a city in the Los Angeles County, stealing the data and encrypting the devices, threatening to leak the data, if the ransom is not paid on time.
Attack of the LA Suburb
The City of Torrance, a coastal US city in the South Bay region of Los Angeles, was targeted by the DopplePaymer ransomware.
- In April 2020, the City of Torrance was targeted by the DoppelPaymer ransomware, encrypting the devices and rendering them out of service.
- The hackers claimed to have stolen over 200 GB of sensitive data, including city budget financials, accounting documents, and an archive of documents belonging to the City Manager.
- The ransomware operators demanded a 100 BTC (approximately $689,147) ransom in exchange for the decryptor. If not paid, the operators threatened to leak the data publicly.
A brief history of DoppelPaymer
Although not a very old strain, the DoppelPaymer ransomware has a chequered history associated with it.
- DoppelPaymer, which shares most of its code with the BitPaymer ransomware, was first seen in the wild in June 2019.
- The earliest known builds of DoppelPaymer dates back to April 2019, but these builds were missing several features observed in the later variants. This suggests that the initial build was probably developed for testing purposes. Till July 2019, eight distinct samples of Dopplepaymer had been identified.
- A major part of the DoppelPaymer code has been derived from BitPaymer, which indicates its links with the INDRIK SPIDER threat group, that operates the BitPaymer ransomware.
- The first three confirmed victims paid ransom amounts of 2 BTC, 40 BTC, and 100 BTC, which shows the exceptional growth story for the ransomware.
Recent DoppelPaymer attacks
DoppelPaymer has been very actively targeting organizations around the globe, especially in the US, over the past few months.
- In March 2020, DoppelPaymer had targeted the aerospace and defense contractor, Visser Precision, and threatened to leak the data of its esteemed clients, which included Tesla, Lockheed Martin, Boeing, and SpaceX. When Visser Precision refused to pay the ransom, all the sensitive information belonging to these organizations was leaked on the internet.
- Other agencies targeted by DoppelPaymer include Kimchuk (a medical and military electronics maker) in March 2020, Bretagne Télécom in February 2020, Pemex Communications in November 2019, Rouen University Hospital-Charles Nicolle in November 2019, Petróleos Mexicanos in November 2019, Louisiana state government in November 2019, and more.
How to stay safe
Below are some general guidelines to stay protected from ransomware threats:
- For all user accounts, create a policy for accepting only a strong password, which makes it hard for ransomware to crack the password files.
- Keep a recent backup of all sensitive data. In an event of ransomware attack, all the lost files can be recovered using the backup.
- Apply an email policy that filters unsolicited executable code at the gateway to filter out the malicious or spam emails.