DoppelPaymer operators launched a site for data of non-paying victims

DoppelPaymer ransomware victims who decide not to pay get exposed on the site created by virus developers

“Dopple leaks” created to disclose data of ransomware victims, got published this week.^[1] Attackers stated that this site is created to leak names and other data obtained from the infected machines of victims who refused to meet their ransom paying demands. The primary purpose is to shame people and expose victims to government fines, lawsuits, as it may enable criminals to get more payments. 

The technique mimicked previously known incident^[2] when Maze ransomware developers leaked data left and right to expose people that didn't want to cooperate with ransom demanding criminals. In December 2019, hackers responsible for the cryptovirus exposed 120 GB of data stolen from Southwire company, who decided not to pay the demanded $6 million.

Unfortunately, before ransomware encrypts data on the machine or a network, in cases of a larger target, it manages to obtain files with often especially valuable information. Soon after this news, other ransomware creators stated this is the practice that might get used later on.

The darknet site primarily exposed data of four companies

As site developers stated, the page was in development still, so only a few files from non-compliant victims got published. Unfortunately, when such data collection techniques continue to be used, data breaches cannot end, and this method of exposing victims and companies may get employed by even more criminals. 

The particular targets who got their data exposed included:

• A French telecommunication cloud services company that refused to pay 35 Bitcoins;
• A logistics & supply chain company from South Africa. The company got hacked on January 20th and was asked to pay 50 Bitcoins;
• A merchant from the USA that decided to not pay a ransom of 15 Bitcoins;
• A state-owned oil company from Mexico – Pemex. The company needed to pay 569 Bitcoins worth just a little shy of $5 million.

As attackers stated for researchers, Pemex was the biggest target and data that got exposed was only a small part of the information stolen from this oil company.^[3] A large amount of obtained files are unsorted still. As for the other victims, data was not that “interesting” or the data breach was not the goal of hackers at the time. They plan to exfiltrate more data, in their upcoming attacks though, so companies should be transparent about data breaches and ransomware attacks to let the public know about these incidents.

French cloud service provider hacked: 30 TB of data got encrypted

DoppelPaymer ransomware creators exploited CVE-2019-19781 vulnerability and hacked unpatched servers.^[4] Bretagne Télécom cloud hosting and enterprise telecommunications company that manages around 10,000 servers and has 3,000 customers suffered a ransomware attack. 

The payload got dropped on compromised servers in January. Citrix released many patches for vulnerable ADC devices^[5] with a final patch released on January 24th. DoppelPaymer managed to encrypt 148 machines connected to vulnerable servers that contained data of thirty small business customers.

The later incident of the shamming site publishing exposed that since the company refused to pay demanded 35 Bitcoins, an equivalent of around $330,000 for the alleged decryption services, data collected before encryption got publicly released. Some of the files were leaked on the Dopple Leaks domain, but the company managed to restore customers' data using backups quite fast.