FBI Alert on DoppelPaymer Ransomware Attacks Directed at Critical Infrastructure

The Federal Bureau of Investigation (FBI) has released a private industry notice regarding the increasing DoppelPaymer ransomware activity and the threat actors’ change in strategy to compel victims into paying the ransom.

DoppelPaymer ransomware first appeared in summer 2019. Since then, attackers use it on a variety of verticals such as education, healthcare, and emergency services. It is believed that the Evil Corp (TA505) threat group uses this ransomware. The group also used the Dridex banking Trojan and the Locky ransomware
in its campaigns.

Just like a lot of human-operated ransomware attacks, the threat group exfiltrates information before encrypting files and utilizes the stolen information to get the victims to pay the ransom. Though victims could possibly retrieve encrypted files via backups, the risk of the public exposure or selling of stolen information is enough to compel them to give in to the ransom demand.

The threat group is well-known for asking for big ransom payments, usually up to seven figures. It is also assumed that the group started the strategy of contacting victims to compel them to pay, which many ransomware groups such as Ryuk, Sekhmet, and Conti have followed.

The DoppelPaymer group has been phoning victims as of February 2020 to threaten them that if they don’t pay, their stolen data will be publicly released or sold. They even issue threats of violence. There was one case where the attacker made a call using a spoofed U.S. number and made it appear to be from North Korea. He threatened that if the ransom was not paid, a person will be sent to the victim’s home. Later, the attacker made calls to a few of the victim’s relatives.

The FBI mentioned in the advisory that a number of attacks have been monitored in the past months that disrupted crucial services. A lot of healthcare companies were attacked resulting in disrupted patient services. The patients of a hospital in Germany had to be taken to other facilities because of the attack. One patient, unfortunately, died because treatment was not provided in time. Law enforcement authorities later confirmed that the patient would probably have died because of poor health regardless of the attack. The FBI noted that when the attacker was informed of the risk to patients’ lives, the attacker withdrew the extortion and just gave the digital decryption keys without imposing ransom.

One more attack on a big U.S. healthcare provider last July 2019 affected 13 servers. Although no ransom was paid and files were retrieved from backups, it took several weeks to complete the recovery process. In September 2020, the ransomware group attacked a 911 dispatch center so that the county was unable to access its computer-aided dispatch (CAD) system. In another country, an attack resulted in encrypted servers that kept the county from accessing the systems employed for patrol, emergency dispatch, jail, and the payroll sections. In summer 2020, an attack on a U.S. city resulted in a major interruption to emergency services, government functions, and the police department.

Ransomware attacks on healthcare companies have increased as the year passed. Kroll reported an increase in attacks on healthcare providers by 75% in October 2020. Ransom payments are likewise growing. Beazley reported that its clients had double ransom demands from attacks in the first half of 2020. Coveware reported an average ransom demand of $234,000 in the Q3 of 2020, which increased by 31% from Q2.

The FBI’s advice is not to pay ransom demands except if there’s no option, since payment doesn’t ensure the file recovery or avoid data exposure. Ransom payment furthermore motivates the attackers to perform more attacks and incentivizes others to take part in ransomware campaigns.