Fraud Management & Cybercrime , Ransomware

FBI Warns of DoppelPaymer Ransomware Attack Surge

Cybercriminals Are Using Phone Calls to Pressure Victims
FBI Warns of DoppelPaymer Ransomware Attack Surge

The FBI is warning of increased activity - including disruption of a police dispatch system - by the operators of DoppelPaymer, a ransomware variant linked to high-profile attacks over the last several months.

See Also: How to Hunt Threats Like Elite Defenders with Open NDR + MITRE ATT&CK®

The operators of DoppelPaymer, or their affiliates, have been calling victims as a way of pressuring them to pay ransoms, which can be as high as seven figures, the FBI reports in a notice made public this week.

"As of February 2020, in multiple instances, DoppelPaymer actors had followed ransomware infections with calls to the victims to extort payments through intimidation or threatening to release exfiltrated data," the FBI alert notes. "In one case, an actor, using a spoofed U.S.-based telephone number while claiming to be located in North Korea, threatened to leak or sell data from an identified business if the business did not pay the ransom."

First spotted in 2019 as an offshoot of the cybercrime operation called Evil Corp, DoppelPaymer - which appears to be a variant of BitPaymer - has previously hit several high-profile targets, including Mexico's state-run oil company Pemex and Chile's Ministry of Agriculture, according to cybersecurity analysts.

The DoppelPaymer gang demands ransoms of $25,000 to $1.2 million in bitcoin, according to a previous report by security firm CrowdStrike (see: DoppelPaymer Ransomware Gang Threatens to Dump Victims' Data).

The operators of DoppelPaymer and their affiliates not only use crypto-locking malware to encrypt files within targeted networks but also exfiltrate data in an attempt to extort payments from victims.

"The operators of Conti, Sekhmet, Maze, Ryuk and DoppelPaymer have all phoned victims to harass and intimidate them into paying," says Brett Callow, a threat analyst with security firm Emsisoft (see: Ransomware: Call Centers Cold-Call Victims to Demand Ransom). “Such tactics are likely to become increasingly commonplace as threat actors attempt to continuously find ways to apply more pressure to their targets.”

The FBI has encouraged victims of ransomware attacks not to pay ransoms.

Increasing Activity

The latest FBI alert notes that, since September, DoppelPaymer has been tied to several ransomware attacks that have disrupted critical services, such as police dispatch, in the U.S. as well as other countries.

In an attack on an unidentified U.S. county, the ransomware operators compromised a 911 center and made changes that prevented police and other officials from accessing the county's computer-aided dispatch system, according to the FBI. In another incident, attackers targeted an unidentified city's network, which forced emergency services to revert to manual operations.

"The ransomware was introduced via an Internet Explorer/Edge browser after an employee viewed a cryptocurrency website. The city’s system was infected by a Dridex malicious advertisement campaign through the browser’s temporary internet files," the FBI notes. "The ransomware was successful in encrypting files stored on the following platforms: Windows 7, Windows 10, Server 2008, Server 2012, and Server 2016."

DoppelPaymer also infected the network of a German hospital, leading to one patient to be transported 20 miles away for treatment. While the individual later died, law enforcement officials ultimately did not hold the gang responsible because the patient was in poor health and likely would have died anyway, the FBI notes.

"After German authorities contacted the actors through the provided communication accounts, the actors withdrew the extortion attempt and provided a digital decryption key upon learning patients' lives were endangered, according to open-source reporting about the German investigation," the FBI notes.

The FBI also says DoppelPaymer is believed to have compromised the networks of several community colleges in the U.S.

Increasing Cost

Over the last several months, the costs associated with ransomware attacks have steadily increased. During the third quarter of this year, the average ransom payment was about $234,000, an increase of 31% from the previous quarter, according to security firm Coveware (see: Data-Exfiltrating Ransomware Gangs Pedal False Promises).

Gangs such as DoppelPaymer and ProLocker have increasingly focused on "big-game hunting," targeting large organizations and demanding ransoms of $1 million or more, according to Group-IB (see: Operators Behind ProLocker Ransomware Seek 'Big Game').

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.