Ransomware crooks are targeting vulnerable

The ransomware gang identified as DoppelPaymer has leaked a substantial collection of files from the Illinois Office of the Attorney General (OAG) on a server controlled by the cybercriminal group. The move came after ransom negotiations between the two parties broke down following a ransomware attack earlier this month, on April 10.

The leaked files include not only public information from court cases handled by the Illinois OAG, but also private documents that aren’t a part of the public record, according to security research firm Recorded Future, which detailed the leak in a post on its news portal The Record. The files contain personally identifiable information about state prisoners, their grievances and cases. DoppelPaymer, based on BitPaymer ransomware, emerged in 2019 as a significant cybercriminal threat and has been used since then to carry out a number of high-profile attacks. Visser Precision, a supplier to SpaceX and Tesla; Los Angeles County; and Kia Motors have all been victims of attacks by the group.

DoppelPaymer’s attackers initially commenced their activity by locking and encrypting files on victims’ networks, but later evolved to using threats to leak stolen data after attacks as a bargaining chip in ransomware negotiations–as well as making good on those threats.

Philip Reiner, CEO of the Institute for Security and Technology and executive director of the industry task force, said the reporting recommendations are one of several areas where federal agencies will likely need to dedicate more employees. For example, he said, expecting victims to clear ransomware payments with the Treasury Department first assumes the agency has the staff to respond in any kind of timeframe that might be useful for a victim undergoing a ransomware attack.

According to security firm Emsisoft, almost 2,400 U.S.-based governments, healthcare facilities and schools were victims of ransomware in 2020.

“The costs of ransomware go far beyond the ransom payments themselves,” the task force report observes. “Cybercrime is typically seen as a white-collar crime, but while ransomware is profit-driven and ‘non-violent’ in the traditional sense, that has not stopped ransomware attackers from routinely imperiling lives.”

The University of California-San Francisco, heavily involved in COVID-19 research, barely hesitated before paying. It gave the criminals $1.1 million last June. Manufacturers have been especially hard-hit this year, with ransoms of $50 million demanded of computer makers Acer and Quanta, a major supplier of Apple laptops.

Some top ransomware criminals fancy themselves software service professionals.

Some top ransomware criminals fancy themselves software service professionals. They take pride in their “customer service,” providing “help desks” that assist paying victims in file decryption. And they tend to keep their word. They have brands to protect, after all.

“If they stick to their promises, future victims will be encouraged to pay up,” Maurits Lucas, director of intelligence solutions at the cybersecurity firm Intel471, told a webinar earlier this year. “As a victim you actually know their reputation.”

The business tends to be compartmentalized. An affiliate will identify, map out and infect targets, choose victims and deploy ransomware that is typically “rented” from a ransomware-as-a-service provider. The provider gets a cut of the payout, the affiliate normally taking more than three-quarters. Other subcontractors may also get a slice. That can include the authors of the malware used to break into victim networks and the people running the so-called “bulletproof domains” behind which the ransomware gangs hide their “command-and-control” servers. Those servers manage the remote sowing of malware and data extraction ahead of activation, a stealthy process that can take weeks.