DoppelPaymer Ransomware Targets US Suburb and Steal 200 GB Data

DoppelPaymer ransomware actors recently targeted a city in the Los Angeles County, stealing the data and encrypting the devices, threatening to leak the data, if the ransom is not paid on time.

Attack of the LA Suburb

The City of Torrance, a coastal US city in the South Bay region of Los Angeles, was targeted by the DopplePaymer ransomware.

  • In April 2020, the City of Torrance was targeted by the DoppelPaymer ransomware, encrypting the devices and rendering them out of service.
  • The hackers claimed to have stolen over 200 GB of sensitive data, including city budget financials, accounting documents, and an archive of documents belonging to the City Manager.
  • The ransomware operators demanded a 100 BTC (approximately $689,147) ransom in exchange for the decryptor. If not paid, the operators threatened to leak the data publicly.

A brief history of DoppelPaymer

Although not a very old strain, the DoppelPaymer ransomware has a chequered history associated with it.

  • DoppelPaymer, which shares most of its code with the BitPaymer ransomware, was first seen in the wild in June 2019.
  • The earliest known builds of DoppelPaymer dates back to April 2019, but these builds were missing several features observed in the later variants. This suggests that the initial build was probably developed for testing purposes. Till July 2019, eight distinct samples of Dopplepaymer had been identified.
  • A major part of the DoppelPaymer code has been derived from BitPaymer, which indicates its links with the INDRIK SPIDER threat group, that operates the BitPaymer ransomware.
  • The first three confirmed victims paid ransom amounts of 2 BTC, 40 BTC, and 100 BTC, which shows the exceptional growth story for the ransomware.

Recent DoppelPaymer attacks

DoppelPaymer has been very actively targeting organizations around the globe, especially in the US, over the past few months. 


How to stay safe

Below are some general guidelines to stay protected from ransomware threats:
  • For all user accounts, create a policy for accepting only a strong password, which makes it hard for ransomware to crack the password files.
  • Keep a recent backup of all sensitive data. In an event of ransomware attack, all the lost files can be recovered using the backup.
  • Apply an email policy that filters unsolicited executable code at the gateway to filter out the malicious or spam emails.