The Federal Bureau of Investigation has released a Private Industry Notification to warn of DoppelPaymer ransomware attacks on critical infrastructure.
DoppelPaymer emerged as a forked version of BitPaymer (also known as FriedEx), both believed to be the work of TA505, the threat actor best known for the infamous Dridex Trojan and Locky ransomware families.
“Since its emergence in June 2019, DoppelPaymer ransomware has infected a variety of industries and targets, with actors routinely demanding six-and seven-figure ransoms in Bitcoin (BTC),” the FBI says in its alert.
According to the FBI, the ransomware has been used worldwide, in attacks on verticals such as healthcare, emergency services, and education.
The Bureau also warns businesses that the threat actor behind DoppelPaymer engages in double extortion: prior to encrypting targeted systems with ransomware, they exfiltrate data they later abuse for extortion or to pressure the victim into paying the ransom.
A September 2020 attack targeting a German hospital prevented emergency service personnel from communicating with the hospital, forcing the re-routing of an individual who required emergency services. The individual later died, but German authorities blamed it on poor health and not the attack.
In July 2019, DoppelPaymer infected 13 servers of a US medical center, demanding 50 Bitcoin (approximately $600,000 at the time) in ransom. The medical center was able to restore its systems from offsite backups, but the process took several weeks.
Also in September 2020, the threat actor behind DoppelPaymer compromised a county’s E911 Center, making changes that prevented access to the county’s computer-aided dispatch (CAD) system.
“The actors reset passwords, removed accounts from the domain administrators group, and created an admin account called ‘AD.’ In a separate attack on a different county, the actors encrypted servers used by the county responsible for emergency dispatch, patrol, jail, and payroll departments,” the FBI explains.
In another attack during the summer of 2020, the adversary disrupted police, emergency services, and other government functions in a US city. As part of the attack, ransomware was used to encrypt files on Windows 7, 10, Windows Server 2008, Server 2012, and Server 2016 systems.
A DoppelPaymer attack on a community college had an impact on in-person classes, as it resulted in restricted access to the campus for several days. An attack targeting a different college resulted in three infected servers and restricted network access.
“As of February 2020, in multiple instances, DoppelPaymer actors had followed ransomware infections with calls to the victims to extort payments through intimidation or threatening to release exfiltrated data,” the FBI explains.
The agency also included a series of mitigation recommendations in its notification.
Related: FIN11 Spun Out From TA505 Umbrella as Distinct Attack Group
Related: Seven Ransomware Families Target Industrial Software
