The Federal Bureau of Investigation (FBI) is warning the private industry concerning the increase in DoppelPaymer ransomware attacks. Now threat actors are compelling victims to pay the ransom.
The first appearance of the DoppelPaymer ransomware was in the summer of 2019. Since that time, it has become a common variant used by attackers on organizations providing education, medical care and the emergency services. Besides using the Dridex banking Trojan and the Locky ransomware, the Evil Corp (TA505) threat group uses the DoppelPaymer ransomware in its campaigns.
Before using the ransomware to encrypt files, the threat group exfiltrates data so it can use the stolen information to threaten the victims to pay ransom. Even if it’s possible for victims to recover the encrypted files using their backups, they opt to pay the ransom to avert the risk of exposing the stolen information.
The threat group has the reputation of demanding big ransom amounts of up to seven figures. There is reason to believe that group has also resorted to contacting the victims to force them to pay the ransom. Other ransomware groups including Sekhmet, Conti and Ryuk have done the same.
The DoppelPaymer group giving victims a phone call since February 2020 to say that not paying the ransom would result to public exposure or selling of the stolen data. Sometimes, the group uses violence as a threat. For instance, an attacker used a spoofed U.S. number to call a victim and made it look like its a call from North Korea. The attacker also told the victim that if no ransom is paid, someone will go to his house. Then, the attacker also called some of the victim’s kin.
The FBI stated in the alert that some attacks in recent months disrupted the essential services of healthcare companies. A hospital in Germany had to take its to other facilities after an attack. Sadly, one patient died probably because of delayed treatment. A report by law enforcement authorities later stated its likely for the patient to die regardless of the attack due to poor health. As per an FBI report, the attacker did not push through with the extortion when he knew about the risk to patients’ lives. He also provided the decryption keys without demanding anything.
Another ransomware attack last July involved a big U.S. healthcare company. The 13 servers of the company were affected. No ransom payment was made. Backup files were used to restore the system but the recovery process took several weeks. The ransomware group also attacked a 911 dispatch center last September 2020. The center could not access its computer-aided dispatch (CAD) system. Another attack encrypted servers of a county so that it could not access its systems that manage its payroll, patrol, emergency dispatch, and jail sections . Last summer of 2020, there was also an attack that interrupted the emergency services, government functions and the police department of a U.S. city.
Kroll reported a 75% increase in attacks on healthcare providers last October 2020. Ransom payments also grew. Beazley stated that in the first half of 2020, ransom demands from attacks faced by its clients doubled. Coveware noted that Q3 of 2020 had a $234,000 average ransom demand, a 31% increase from Q2.
The FBI still advises companies not to pay ransom demands because it doesn’t ensure file recovery nor prevention of data exposure. When ransom is paid, attackers become more motivated to carry out more attacks.