Locked steel padlock in a drilled hole of laptop showing DoppelPaymer ransomware attack

DoppelPaymer Ransomware Attack Disrupts Foxconn’s Operations in the Americas, Hackers Delete Terabytes of Data, Demand $34 Million

The world’s leading electronics manufacturing company Foxconn suffered a ransomware attack that encrypted more than a thousand servers and exfiltrated more than 100 GB of data. The attack involving the DoppelPaymer ransomware occurred at a Mexican facility on the Thanksgiving weekend.

Foxconn has more than 800,000 employees and annual revenue of $172 billion, according to 2019 figures. Its subsidiaries include Sharp, Belkin, Innolux, and FIH Mobile. It also manufactures electronic devices for the world’s leading tech giant Apple.

DoppelPaymer cybercrime gang takes responsibility for the ransomware attack

Cybersecurity experts believed that the ransomware attack took place presumably on Nov 29 at the CTBG MX facility in Ciudad Juárez, Chihuahua, Mexico. The ransomware attack disrupted the North and South American operations.

Established in 2005 and occupying 682,000 sq. feet, the facility oversees the assembly and shipment operations for all the Americas’ products.

DoppelPaymer ransomware gang also took responsibility for the attack in an interview with BleepingComputer. However, the gang denied attacking the whole company, insisting that it only targeted the NA segment during the ransomware attack.

They claimed to have encrypted about 1,200 servers, exfiltrated about 100 GB of data while destroying 20-30 TB Of backups. The group also clarified that it only targeted Foxconn’s servers and avoided the company’s workstations.

Foxconn’s documents leaked online after the DoppelPaymer ransomware attack

A few days after the electronics giant suffered a ransomware attack, the DoppelPaymer ransomware gang published Foxconn’s files on an underground leak site.

The leaked files included business documents and reports but hardly any financial, employee, or customer information.

The documents’ release was supposed to prove the validity of the stolen data. However, Foxconn could not verify if the published documents originated from its collection.

DoppelPaymer Ransomware gang demands a $34 million ransom payment

The threat actors demanded a $34 million ransom to decrypt the servers and avoid publishing the stolen data online.

A ransom note released by the DoppelPaymer ransomware gang provided a link to Foxconn’s victim page instructing the company to pay the 1804.0955 Bitcoins, currently valued at $34,686,000.

Foxconn also acknowledged the attack saying that “an information system in the US that supports some of our operations in the Americas was the focus of a cybersecurity attack on Nov 29.”

The company said it had involved technical experts and law enforcement agencies in investigating the incident and apprehending the suspects.

“The system that was affected by this incident is being thoroughly inspected and being brought back into service in phases,” Foxconn’s statement concluded.

DoppelPaymer ransomware gang has been targeting about 2% of the top organizations in the world. Its past victims include Banijay Group SAS, Bretagne Télécom, Compal, Endemol Shine, Hall County in Georgia, Newcastle University, PEMEX (Petróleos Mexicanos), and the City of Torrance in California.

The new normal for ransomware attacks

Commenting on Foxconn’s DoppelPaymer ransomware attack, Chris Clements, VP of Solutions Architecture, Cerberus Sentinel, says, “This is the new normal. Ransomware gangs have evolved from unsophisticated ‘Script kiddies’ to hacking experts with multimillion-dollar budgets,”

“Unfortunately, most businesses have not comparably improved their defensive posture, with many lacking even basic security hardening and monitoring capabilities to combat these skilled adversaries,” commented Clements.

Clements also noted that traditional security protection mechanisms such as firewalls and antiviruses were impotent against modern threats.

“The days of simply installing antivirus and a firewall to protect organizations have long since passed. It’s too easy to get a phishing email through spam filters that contain a file attachment obfuscated such that the embedded exploit code isn’t caught by antivirus.”

He recommended adopting a “culture of security starting with executive leadership” prioritizing system and data security.

“Security awareness training to spot phishing emails as well as best information security best behaviors is a crucial component of an effective security program, but it is only the first step,” Clements continued. “Organization-wide convergence on information security best practices as well as capabilities to identify suspicious behaviors either by cybercriminals or trusted insiders are essential to mitigating costly breaches.”

James McQuiggan, Security Awareness Advocate, KnowBe4, says that ransom demands have been rising over the years.

“Usually, they target around one to two percent of the organization’s overall profits, but the amount requested is lower. Thirty-four million out of 172 billion dollars is no small amount, but it is undoubtedly payable in the grand scheme of things.”

McQuiggan says that companies should have offline backups to prevent the loss of productivity. Additionally, such backups increase the recovery speed when criminal gangs encrypt computer systems and delete backups during a ransomware attack.