You’ve almost certainly heard of a ransomware family known as: DoppelPaymerBecause the name itself reminds us of the double-barrel blackmail technique used by many modern ransomware gangs.
In order to increase the pressure to pay, so-called double extortionists not only scramble all data files to disrupt business operations, but also steal copies of these files to use as an additional means.
The idea is that if you pay for the decryption key to unlock your files and get your business back on track, attackers very generously agree to delete the stolen files instead of leaking them. Disclose those files to media, regulators or sell them to other cybercriminals.
To put it crudely, the blackmailer is inviting you to pay for both positive actions (handing over the decryption key) and negative actions (not leaking stolen data).
Scammers also want to have reliable backups and be able to restart their business on their own without paying for a decryption key.
… Nonetheless, they can blackmail you into handing over their threatened money anyway by promising to keep your mouth shut about the fact that you suffered a data breach.
Double extortion attackers usually steal files in unencrypted form before distorting them. However, given that they already know the decryption key, they can also steal it during or after the scrambling process.
Naming and Shame
DoppelPaymer, along with many other cyber gangs of this kind, had their own online “fame” website as recently mentioned. press release From Europol:
The criminal group behind this ransomware resorted to a double heist scheme using leaked websites launched by criminals in early 2020. German authorities are aware of 37 victims of this ransomware group, all of whom are businesses. One of the most serious attacks was against the University Hospital in Düsseldorf. In the US, victims paid at least €40 million between May 2019 and March 2021.
That’s bad news.
The reason Europol is now writing about the DoppelPaymer ransomware is good news.
The joint operation involving German, Ukrainian and US law enforcement agencies just result Interrogation and arrest of suspects in Germany and Ukraine, confiscation of electronic devices in Ukraine for forensic analysis.
Europol did not publish any photos of the seized equipment in the incident, but it suspects that a laptop and mobile phone were seized along with the vehicle (which these days is effectively a versatile online computing network). away for inspection.
The server may still be running.
The press release did not mention whether or not investigators were able to seize or shut down servers linked to this ransomware gang.
Servers today tend to run somewhere in the cloud, whether they’re run by legitimate businesses or criminals. It literally means “someone else’s computer” and almost always also means “somewhere else, maybe another country.”
Unfortunately, with judicious use of dark web anonymity tools and careful operational security, criminals can hide the physical location of your server.
These servers may include websites that post names and numerical data, databases that record current victims’ decryption keys and whether or not they have paid, or “business network” servers that register affiliates to help them. Mount their attack.
So even when police arrest some, many or all of ransomware gangs, ransomware activity doesn’t always stop. This is because their infrastructure remains and can still be used by other gang members or continued to be used by rivals. exploitative activity.
Similarly, if the police take down and seize a server vital to a ransomware gang, the same dark web anonymity that makes it difficult to trace from an arrested user to a server…
… It is also difficult to reverse track from seized servers to identify and arrest users.
Unless, of course, the scammers make a technical or operational mistake, such as going through an anonymization service such as TOR (Onion router) or accidentally connecting directly to a server instead of relying on another service, the operators of the cybercrime scene either accidentally or knowingly Make sure not to kick them out.
Learn more about how to catch DARK WEB cheaters.
We talk to renowned cybersecurity authors. Andy Greenberg about his great book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.
No audio player below? listen right away on soundcloud.
Prefer reading to listening? Full transcripts are available.
What should I do?
- Never use protection again. This roundup, by itself, is unlikely to do much damage to the ransomware scene as a whole, as these arrests are welcome and confiscated devices are likely to help police identify more suspects. Indeed, on this very occasion, Europol itself warns: “According to reports, DoppelPaymer has since rebranded. [as a ransomware gang called] ‘pain’.”
- Don’t just stick to ransomware. Remember that ransomware attacks are often the tail end of extended or multiple attacks involving criminals roaming freely through the network. Fraudsters who can steal data from computers throughout the company and scramble almost any file they want on just about any laptop and server they want can (and often do) perform almost any kind of sysadmin-level attack they want. Not surprisingly, this malicious “sysadmin” activity often involves quietly opening holes for the same scammers or others to come back in later.
- Don’t wait for threat alerts to appear on your dashboard. For example, in a double extortion ransomware attack, the data theft step in which crooks loot files before scrambling them is a convenient warning that an attack is actively underway. However, with a good threat hunting team either in-house or deployed as a service, you can aim to detect signs of an attack much earlier than that, ideally even before attackers have an initial beachhead to attack your entire network. .
- Don’t pay if you can avoid it. We always say, “If you judge, we won’t judge you. But paying the money will not only fund the next wave of cybercrime, but it may not work at all. The Colonial Pipeline has proven useless Notorious for spending more than $4 million on decryption tools, Dutch police recently warned against a cyber extortion gang claiming to have made their fortune by “selling silence” for millions of dollars, but the stolen data was leaked anyway.
Learn more about XDR and MDR
Do you lack the time or expertise to handle cybersecurity threat response?
Worried about cyber security getting in the way of everything else you need to do?Explore Sophos Managed Detection and Response:
24/7 threat hunting, detection and response ▶
Learn more about active enemies
read us Active Adversary Playbook.
This is a fascinating study of 144 real attacks by Sophos Field CTO John Shier.
.