Victim of DoppelPaymer ransomware in front of laptop showing threat of posting victim's data publicly

DoppelPaymer Ransomware Ups the Threat Level by Posting Victim’s Data Publicly If They Don’t Pay

While ransomware is a serious problem, it is also one that can be handled with proper preparation. An organization that fully backs up its systems at regular intervals can usually avoid a payment simply by restoring files. Cyber crime is a world of constant adaptation and escalation, however, and there has been a dangerous mutation. The new DoppelPaymer ransomware doesn’t just lock up data, but also threatens to post the victim’s data to a public leaks site if the ransom isn’t paid.

How the DoppelPaymer ransomware works

Whoever is behind the DoppelPaymer ransomware has launched a site called “Doppel Leaks.” Victims who do not pay find that some of the data from their network has been posted to the site, along with the company name and URL.

The DoppelPaymer ransomware creators appear to be scaling their ransom demands to the size of the company they have compromised. Four companies thus far have had select files posted to the Doppel Leaks site, according to a report by BleepingComputer. The victims included three companies from varying parts of the world whose identities were not disclosed, but appear to be small to mid-sized companies; these organizations were asked for ransoms ranging from $150,000 to $500,000 USD in bitcoin. The largest target was Mexico’s state-run oil company Pemex, which was asked for nearly $5 million in a November attack.

A new trend?

The DoppelPaymer ransomware is not the first variety to steal the victim’s data and then threaten to leak it if they do not pay up. A recent strain of ransomware called Maze was used to extort several companies in this way, including Medical Diagnostic Laboratories and Southwire. However, the hackers behind Maze simply dumped large archive files of data from these companies to a hacking forum. Doppel Leaks is the first known incidence of a central site being created that allows people to browse through select pieces of the victim’s data.

The BleepingCoputer report noted that several other ransomware operators, such as Nemty and Sodinokibi, had indicated that they would be adopting a model similar to the DoppelPaymer ransomware. It is highly likely that there will be more copycats going forward. The DoppelPaymer group also indicated that they would be publishing more stolen information in the future.

Ransomware in general has been on a significant upward trend for over a year now. Thought to be a dying form of cyberattack as recently as 2018, ransomware has roared back both in frequency and attack scope in the past year. Attack numbers were up 41% in 2019, the average payment more than doubled to $84,116 USD in Q4, and non-traditional targets such as city infrastructure and hospital networks started seeing a trend of targeted attacks.

What the theft of victim’s data means for ransomware defense

It has already long been prudent to assume that any attacker that was able to get malware onto a network also was able to exfiltrate files before doing so. The DoppelPaymer ransomware and the developing trend it represents just makes clear that ransomware attacks should be treated as a data breach.

It can take months for a forensic examination to determine if the victim’s data was exfiltrated as part of a ransomware attack, so it makes sense to simply assume that the victim’s data has been compromised as a standard best practice. There is nothing stopping threat actors from “double dipping” after targets pay a ransom by putting the exfiltrated data up for sale – or making use of it to perpetrate future attacks.

Erich Kron, Security Awareness Advocate for KnowBe4, advises organizations that ransomware preparedness should be folded in with training and measures to prevent phishing breaches all along the supply chain:

“In the past, simply being able to restore the data was the method of recovery, however prudent organizations have now realized that prevention has taken first place in the defense against these new types of ransomware … As most ransomware is spread through phishing attacks, it is absolutely critical that organizations train their users to be able to spot and report these types of attacks quickly.”

The majority of cyber attacks originate from an opening created by a phishing email. The only other threat that is even close in terms of scope and persistence is unauthorized access by trusted company insiders or partners.

The DoppelPaymer ransomware is certainly another illustration of the need to elevate anti-phishing measures and employee training as a cybersecurity priority, but it also demonstrates that the specific ransomware response plan must now go beyond simply restoring the victim’s data from backups.

While that will still get organizations back online and functional, a ransomware attack must now be treated like a data breach in terms of response and recovery. This would include preparing for any breach reporting regulations that may be in place, such as the stringent terms found in the European Union’s General Data Protection Regulation (GDPR).