City of Torrance Suffers DoppelPaymer Ransomware Attack

Delaware, USA – April 22, 2020 – Adversaries stole 200 GB of data from servers in the City of Torrance of the Los Angeles metropolitan area, California, before encrypting, and now threaten to sell the stolen data in the Dark Web to ‘cover the costs of the attack’. The attack occurred back in early March, and officials claimed that public personal data was not impacted, but according to BleepingComputer, the DoppelPaymer operators have stolen almost 270,000 files including accounting documents, document scans, city budget financials, and an archive of documents belonging to the City Manager. Cybercriminals demand the administration of the City of Torrance to pay 100 bitcoins (almost $690,000) for the decryption key, deletion of already published files, and prevention of the publication or sale of other data.

Cybercriminals started using DoppelPaymer ransomware a year ago, the malware was created based on the BitPaymer code and is used only against high-profile targets. In early February, its operators were inspired by the success of Maze ransomware, and before encrypting files, they began to steal valuable data, and then publish and sell it if the victim does not pay the ransom. At the end of the month, adversaries launched a site on which they publish information about their victims and part of the stolen files. With the start of the COVID-19 pandemic, the group behind DoppelPaymer ransomware promised not to attack hospitals, and their last attack on the Healthcare sector was on February 11. They encrypted systems of NRC Health, a Lincoln company that offers performance measurement and management services for health care companies. You can secure your organization by deploying Ransomware Hunter rule pack that leverages statistical profiling and behavioral analysis methods to spot signs of ransomware attack at every stage of Cyber Kill Chain: https://my.socprime.com/en/integrations/ransomware-hunter