Share this article on:
The Federal Bureau of Investigation (FBI) has issued a private industry notification warning of an increase in DoppelPaymer ransomware activity and a change in tactics by the threat actors to pressure victims into paying.
DoppelPaymer ransomware first emerged in the summer of 2019 and has since been used in attacks on a range of verticals including healthcare, education, and the emergency services. The ransomware is believed to be operated by the Evil Corp (TA505) threat group, which was behind Locky ransomware and the Dridex banking Trojan.
Like many human-operated ransomware operations, the threat group exfiltrates data prior to the encryption of files and uses the stolen data as leverage to get the ransom paid. While victims may be able to recover encrypted files from backups, the threat of the public release or sale of stolen data is sufficient to get them to pay the ransom demand.
The threat group is known for demanding large ransom payments, often as high as seven figures. The gang is also believed to have been the first to start cold calling victims to pressure them into paying; a tactic that has now been adopted by several ransomware gangs including Ryuk, Conti, and Sekhmet.
The DoppelPaymer gang has been calling victims since at least February 2020 to issue threats if payment is not made, such as the public release of stolen data, sale of stolen data, and even threats of violence. In one case, a call was made using a spoofed U.S. number by an individual claiming to be in North Korea who threatened to send an individual to an employee’s home if the ransom was not paid. Subsequently, calls were made to several of the individual’s relatives.
The FBI explained in the alert that several attacks have been conducted in recent months that have caused significant disruption to critical services. Many healthcare providers have been attacked causing disruption to patient services. One attack on a hospital in Germany resulted in patients being redirected to alternative facilities, with one patient dying before treatment could be provided. Law enforcement officials later determined that the patient would likely have died due to poor health irrespective of the attack and the FBI notes that when the threat group was notified that lives were being put at risk, the extortion attempt was withdrawn, and the digital decryption keys were provided without charge.
Another attack on a large U.S. healthcare provider in July 2019 saw 13 servers impacted by the attack. While the ransom was not paid and files were recovered from backups, the recovery process took several weeks. In September 2020, the ransomware gang attacked a 911 dispatch center which prevented the county from accessing its computer-aided dispatch (CAD) system. In a separate attack on a different country, servers were encrypted that prevented access to systems used for emergency dispatch, patrol, jail, and the payroll departments. A U.S. city was attacked in the summer of 2020 causing major disruption to emergency services, the police department, and government functions.
Ransomware attacks on healthcare organizations have increased as the year has gone on, with Kroll reporting a 75% increase in attacks on healthcare providers in October 2020. Ransom payments are similarly increasing. Beazley has reported ransom demands in attacks on its clients doubled in the first 6 months of 2020, while Coveware reported the average ransom demand rose to $234,000 in the third quarter of 2020, up 31% from Q2.
The advice of the FBI is never to pay ransom demands unless there is no alternative, as payment does not guarantee the recovery of files or prevent data exposure. Payment of the ransom also encourages the attackers to conduct further attacks and incentivizes others to get involved in ransomware operations.