Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Fraud Risk Management

DoppelPaymer Ransomware Gang Threatens to Dump Victims' Data

Crypto-Locking Malware Gang Follows In Footsteps of Maze, Sodinokibi and Others
DoppelPaymer Ransomware Gang Threatens to Dump Victims' Data
DoppelPaymer's Tor-based ransomware payment portal (Source: Bleeping Computer, which added red box)

More bad news for ransomware victims: Anyone hit with with crypto-locking DoppelPaymer malware now faces the prospect of having their personal data dumped on a darknet site unless they pay a ransom.

See Also: The Cost of Underpreparedness to Your Business

So says the DoppelPaymer gang, which tells Bleeping Computer that it's been stealing data for the past year and occasionally selling it anonymously to help cover the gang's costs.

Bleeping Computer reports that Doppelpayer's Tor-based ransom-payment portal - where victims can remit bitcoins in return for the promise of a working decryption tool - now features this statement:

"Also we have gathered all your private sensitive data.
Some sensetive [sic] information stolen from the file servers will be disclosed to public or sold to a re-seller if you decide not to pay.
It will harm your business reputation."

The enhanced blackmail tactic comes on the heels of a number of other ransomware operators promising to employ the same tactics, with at least some following through.

Life After Maze

In November 2019, the Maze gang leaked almost 700 MB of data that it stole from Allied Universal, a California-based security services firm. Subsequently, the attackers leaked even more information from additional victims, including the Florida city of Pensacola, manufacturer Southwire, an accounting firm, a medical testing lab, medical practices and more (see: Maze Ransomware Gang Names More Alleged Victims).

"The group’s modus operandi is to initially name the companies they’ve hit on their website and, if that doesn’t convince the companies to pay, to publish a small of the amount of their data ('proofs')," says Brett Callow, a threat analyst at anti-virus firm Emsisoft (see: Hackers Pose Increasing Risk to Medical Research Data).

Such tactics are a variation on age-old blackmail schemes. "It's the equivalent of a kidnapper sending a pinky finger," Callow says. "If the organization still doesn’t pay, the remaining data is published, sometimes on a staggered basis. The group has also published data in Russian hacker forums with a note to 'use this information in any nefarious ways that you want.' In other words, it’s highly likely that more of the firms' data will be published unless they pay."

Maze post to the XSS cybercrime forum

Maze's stated goal is simple: Once it gets paid, it will remove the victim's name from its website, not dump further data and also promise to delete all of the data that it stole.

Whether the gang would really delete any stolen data, however, remains to be seen. "It seems highly unlikely that a criminal enterprise would actually delete that it may be able to monetize at a later date," Callow says.

Ransomware Constant: Innovation

Threatening to dump exfiltrated data is merely the latest in a long line of ransomware gang innovations, which took a major leap forward four years ago, with a watershed, targeted attack against Hollywood Presbyterian Medical Center by the SamSam gang, says security researcher Vitali Kremez, who heads SentinelLabs for security firm SentinelOne. "Everything has changed since the advent of targeted ransomware, linking back to the SamSam Hollywood Presbyterian attack," Kremez tells Information Security Media Group (see: Ransomware Hits Hospitals).

In particular, for more advanced attackers, ransomware is now only one piece of the operation. "The ransomware deployment becomes the last and most important step of the successful network exploitation operation, using it as the final outcome of the breach," he says.

And more recently, gangs have been threatening to leak data as a way to amplify their perceived threat. In this "new, worrying trend" in ransomware - as Raj Samani, chief scientist at McAfee, calls it - other ransomware gangs have been promising to follow in Maze's footsteps.

In December 2019, the Sodinokibi - aka REvil and Sodin - ransomware-as-a-service operation, as well as Nemty and Snatch, said they too would be exfiltrating data from victims before crypto-locking systems and dumping stolen data in batches to dedicated portals unless victims paid a ransom (see: Alarming Trend: More Ransomware Gangs Exfiltrating Data).

Maze ransomware logo (Source: @JAMESWT_MHT)

"Maze has shown the world that success rates are increased after sharing some data," the DoppelPaymer gang tells Bleeping Computer.

Such moves are "a natural progression in the threat actors' focus" as they pursue additional forms of pressure that might make victims more likely to pay," David Stubley, CEO at 7 Elements, a security testing firm and consultancy in Edinburgh, Scotland, has told ISMG. But he says it's unclear how many gangs have data exfiltration skills, including the ability to steal data without inadvertently revealing themselves to the organization they're attacking and giving it time to lock down the intrusion before criminals can unleash ransomware.

DoppelPaymer Pummels Victims

Security experts say DoppelPaymer is an offshoot of the cybercrime operation called Evil Corp, aka Dudear, SectorJ04 and TA505 (see: TA505 APT Group Returns With New Techniques: Report).

The DoppelPaymer ransomware appears to be a variant of BitPaymer. After appearing in June 2019, it's been used to shake down victims for ransoms of $25,000 to $1.2 million, according to cybersecurity firm CrowdStrike.

The rise of this strain of ransomware has been swift. Ransomware incident response firm Coveware reports that in the fourth quarter of 2019, DoppelPaymer ransomware accounted for about 6 percent of all ransomware incidents its customers saw (see: Ryuk and Sodinokibi Surge as Ransom Payments Double).

Market share of ransomware, based on incident count (Source: Coveware)

In November 2019, for example, Mexico's state-run oil company Pemex said it had been hit with the ransomware and that it was refusing to pay the $5 million ransom being demanded by attackers. Security experts have said there are clues that the ransomware used in the attack might be either Ryuk or DoppelPaymer.

As with some other strains of ransomware, whoever is wielding DoppelPaymer appears to have network penetration skills, including the ability to gain remote access to organizations' Active Directory environments to facilitate their distribution of ransomware (see: Microsoft Debunks DoppelPaymer Ransomware Rumors).

"Remember, the ransomware itself may not need to have the exfil ability; if threat actors have gained access via RDP, for example, they have full access to the network for doing so," 7 Elements' Stubley says.

Kremez at SentinelLabs says the risk that defenders will give themselves away due to their data exfiltration activities being spotted is often minimal. "While exfiltration might indeed be more visible for network defenders than ransomware activity, it does not play a major factor due to the fact that in the majority of high-profile ransomware cases the criminals are already admins and operate in 'god mode' and can cover their track via many means."

Data Breach Twist

While the Maze gang has been actively leaking victims' data, it remains to be seen if other gangs will follow suit. But security experts say gangs will at least threaten to do so. "We assess with high confidence that even more ransomware collectives will adopt the phrasing of 'leaking data if not paid' in the future to amplify more pressure on the victim to comply with their extortion demands," Kremez says.

If more attackers leak data, however, it could have profound repercussions for ransomware victims. In particular, any outbreak of crypto-locking malware might also involve a data breach, thus triggering breach reporting requirements for victims in the U.S., Europe - per the EU's General Data Protection Regulation - and other countries.

One unanswered legal question is, if an organization knows it's been hit by ransomware, but cannot disprove that attackers stole data first, should it treat the incident as a data breach?

"The clear statement that data was not exfiltrated has often been part of statements made by ransomware victims," McAfee's Samani tells ISMG.

In terms of how organizations might need to adjust such statements as more gangs leak data, "I suspect this nuance will be dictated by the regulatory regime as to what constitutes a breach and the response will ultimately be dictated by evidence of exfiltration," he says.

'Full-Blown Data Breach Incidents'

Kremez, however, notes that as ransomware gangs innovate, they're increasingly ransacking networks, making it much more likely that any outbreak of crypto-locking malware is tied to at least some data exposure as well.

"Ransomware incidents are no longer contained, encryption 'data denial' events from the network defense perspective; they should be treated as full-blown data breach incidents due to the enhanced cybercrime intrusion model," he says. "This is an outcome of the larger trend of malware and network intrusions and breach actors within ransomware collectives to squeeze more value from the affected organizations."

The threat of stolen data being dumped or sold on darknet forums is designed to pressure ransomware victims to pay attackers to not identify them publicly or dump their data. Whether this pressure will translate into increased criminal profits, however, remains to be seen.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.