DoppelPaymer attacks the City of Torrance: 100 BTC ransom expected

DoppelPaymer arranged an attack over the City of Torrance, 200 GB files said to be stolen

DoppelPaymer developers initiated a targeted attack over the City Manager of Torrance. 200 GB files allegedly stolen

DoppelPaymer ransomware hit the City of Torrance, Los Angeles, California, with 200 GB files stolen, 150 servers compromised, and 500 devices encrypted. While the incident is currently under investigation, experts speculate that the attack might be alleged. However, criminals insist on the city to pay 100 Bitcoin ($689,147) for not exposing financial information, accounting details, scanned documents, and other confidential information stolen from City Manager on Dopple Leaks^[1].

The actors behind the DoppelPaymer ransomware are known for initiating targeted attacks to reach high-profile targets like the City of Edcouch, Chilean Ministry of Agriculture, and, this time, possibly the City of Torrance. Using brute-force attacks via unprotected RDP (Remote Desktop Protocol) connections, taking advantage of Trojan infections, and other sophisticated means, the ransomware utilizes lists of CRC32 checksums, injects ProessHacker with custom DLL, and exhibits an extreme persistence and data encryption speed.

According to cybersecurity researchers, DoppelPaymer ransomware might not only manage to encrypt hundreds of GB of files on the devices of City Manager but transmit nearly 269,123 data to remote control servers. There's a clear ground on believing that these numbers are realistic as the attackers provided proof of a crime in Dopple Leaks. An entry called “City of Torrance, CA” featuring some pieces of city's archived data has been uploaded.

An attempt to finish an unfinished crime? The City of Torrance experienced an attack over servers a couple of months ago

In March 2020, cybersecurity news sites reported an attack over the computer systems in the City of Torrance. According to the officials^[2], attackers did not reach personal data that may cause privacy-related issues, though approved that “certain city business services,” including Transit store, were compromised.

During the current attack, attackers allegedly compromised 150 servers and encrypted half of a thousand devices, resulting in nearly 270,000 files leaked. Did criminals seek to put the dot in the unfinished attack held in March is an open question, which will be answered if the city refuses to pay the demanded ransom – $690,00 based on the current Bitcoin price^[3].

Unconscious online behavior – a straight way to a ransomware attack

There are hundreds of active ransomware-type viruses circulating in the wild. Thus inconsiderate navigation through dangerous websites, downloads of questionable free programs, file sharing on torrents, usage of cracks, and suchlike activities can lead to a virus attack resulting in encryption of personal files.

DoppelPaymer is one of the severe ransomware infections, which keeps evolving since 2017 and attacking both individual users and businesses. The criminals render a combination of RSA-2048 and AES-256 encryption algorithm, the virus locks data on a host machine and appends .locked file extension to each compromised file.

Besides, the virus generates a [filename].[file extension].readme2unlock.txt ransom note for each file, which contains a DO-NOTs list and instructions on how to contact the criminals and transfer the payment. Based on the previous DoppelPaymer ransomware attacks, it seems that criminals decide the ransom size depending on the number of files stolen.

In any way, ransom payment is not recommended due to the risk of identity theft. Besides, no one can guarantee the success of the deal with the criminals. Instead of that, take precautionary measures to protect your PC or server from suchlike attacks. Intelligent investments not only pay off but can also save thousands of dollars.