Automated manufacturing process for laptops showing ransomware attack resulting in security breach

Hackers Demand $17 Million in Compal’s Security Breach Despite the Company’s Denial of the Ransomware Attack

A Taiwanese electronics company Compal that builds laptops for leading global brands, including HP and Apple, suffered a ransomware attack over the weekend. DoppelPaymer ransomware gang was implicated in the cyber attack based on a screenshot of the ransom note shared with Yahoo Taiwan reporters. Taiwanese media houses reported that the security breach affected approximately 30% of Compal’s computers. Compal’s employees said that the IT staff advised them to back up important files on the unaffected computers. Compal acknowledged the cyber attack but disputed that a ransomware gang was involved.

Compal acknowledges the security breach but disputes claims of a ransomware attack

Compal Deputy Manager Director Qingxiong Lu admitted that the company was affected by a security breach. However, he denied that the incident was a ransomware attack. His statement said that “Compal is not being blackmailed by hackers,” as reported by local and international media houses.

He also clarified that the security breach affected only Compal’s internal office network but not its production lines. Qingxiong promised that Compal’s IT staff would quickly resolve the “abnormality” in their office automation system. However, Bleeping Computer confirmed that Compal had suffered a DoppelPaymer ransomware attack.

Compal is the second-largest laptop manufacturer in the world after Quanta Computer, another Taiwanese computer manufacturer.

Compal is contracted by leading computer brands such as Apple, Acer, Lenovo, Dell, Toshiba, HP, and Fujitsu. Besides laptops, Compal electronics also builds smartwatches, monitors, tablets, smart TVs, and other computing devices and components.

DoppelPaymer ransomware gang demands payment in Bitcoins

The cybercriminals behind Compal’s security breach demanded close to $17 million from the laptop maker.

The DoppelPaymer Tor payment site linked to the ransom note demanded 1,100 Bitcoins or $16,725,500.00 for Compal to receive a decryptor.

Compal is hardly the only Taiwanese company recently hit by ransomware. In May 2020, the state-owned energy company CPC Corp. was hit by a ColdLocker ransomware attack. Similarly, the Taiwanese plant of US smartwatch maker Garmin suffered a WastedLocker ransomware attack in July.

DoppelPaymer ransomware gang was also responsible for the Newcastle University, PEMEX (Petróleos Mexicanos), Hall County in Georgia, the City of Torrance in California, and Bretagne Télécom ransomware attacks. Elon Musk’s SpaceX also suffered a DoppelPaymer-related security breach earlier this year.

Commenting on Compal’s security breach, Gurucul CEO Saryu Nayyar says that its denial of the ransomware attack points to its cybersecurity strategy failure.

“While they admit there was a breach but deny it was a ransomware attack, it is obvious there was a failure somewhere in their cybersecurity stack. With a manufacturer like this that builds products for numerous well-known brands, the potential risk is greater than simply a loss of productivity,” Nayyar said. “For example, if an attacker were able to compromise the production line and insert malware directly into new systems, the consequences could be very far-reaching.”

DoppelPaymer ransomware gang operations

DoppelPaymer is a ransomware that operates by gaining access to a Windows domain controller and spreading laterally across all the networked devices.

The ransomware gang operates on a ransomware-as-a-service (RaaS) model, sharing its cybercriminal infrastructure with other threat actors in exchange for a commission after each successful security breach.

Additionally, the quoted ransomware price is just a starting point and could be negotiated depending on the severity of the security breach. The demanded ransom could also increase if the victim fails to pay on time.

DoppelPaymer ransomware gang also operates on the double extortion policy, threatening to publish the data online if the victim refuses to pay the ransom. It’s alleged that Compal’s security breach involved data exfiltration, thus explaining the reason why the company denied that ransomware was involved.

The possibility of leaking intellectual property, including devices’ blueprints and manufacturing processes of renowned brands such as Apple, is a terrifying prospect for the contracted Taiwanese manufacturer.

James McQuiggan, a Security Awareness Advocate at KnowBe4, has bad news for Compal and other breached companies:

“Organizations being hit with ransomware, especially by large groups like Sodinokibi, Doppelpaymer, and Netwalker, have to consider that cybercriminals have exfiltrated data along with the lack of availability of their systems.”