The DoppelPaymer ransomware operators claim that they’ve hit a Los Angeles county with a ransomware attack – and are now leaking the city’s data online, according to a recent report.
Impacted is the city of Torrance, a coastal U.S. city in the South Bay region of LA, which has a population of nearly 150,000. According to a Tuesday report by Bleeping Computer, the attackers behind the DoppelPaymer ransomware are demanding 100 Bitcoin ($689,147) in ransom from the city. The attackers told the news outlet that they encrypted 150 servers and 500 workstations, to steal over 200GB of files, in a cyberattack on March 1.
On March 1, the city did report that its email accounts and servers were impacted by a cyberattack. At the time, city officials said that certain city business services were compromised (not including safety operations). “Government agency cyber experts are currently investigating the source of the attack,” according to the city’s press release at the time. “Staff is working with the appropriate agencies to resolve all issues. Public personal data has not been impacted.”
Press Release: TORRANCE EXPERIENCED A CYBER ATTACK TO CITY SERVERS https://t.co/t7EUFjwbFh
— City of Torrance (@TorranceCA) March 2, 2020
Threatpost has reached out to the city of Torrance for further comment but has not yet heard back.
On top of encrypting the city’s files the ransomware group has also reportedly leaked some of the data online – and is threatening to leak even more information. This is a tactic that researchers call “double extortion,” where attackers threaten to leak compromised data or use it in future spam attacks if ransom demands aren’t met. The double extortion tactic was first utilized by Maze operators in a ransomware attack against Allied Universal -and has since been adopted by the DoppelPaymer, Clop and Sodinokibi ransomware families.
According to Bleeping Computer, in February 2020 DoppelPaymer’s operators created a dedicated website called “Dopple Leaks”, which lists the identities of their non-cooperative victims and regularly publishes samples of the stolen data. The website now has a page called “City of Torrance, CA,” containing various leaked file archives that were allegedly compromised during the ransomware attack. These archives reportedly include city budget financials, accounting departments, and documents belonging to the city manager.
Erich Kron, security awareness advocate at KnowBe4, said DoppelPaymer’s double-edged sword of blocking access to files and leaking the data leaves limited options for Torrance.
“Whether they pay or not, the data has left the protected system and the city is going to have to treat it as a data breach,” he said in an email. “There is no guarantee that this information will not be sold on the dark web and eventually be exposed anyway. In the past, the defense for ransomware was simply to have good backups, however, with the addition of data exfiltration, the ransomware groups have changed the game.”
Ransomware attacks specifically targeting city and local governments continue to make headlines. In June 2019, dual Florida cities – Lake City and Riviera Beach – were both hit by ransomware attacks and decided to pay off the hackers. And, after a rash of public schools were hit with ransomware in July 2019, Louisiana’s governor declared a statewide state of emergency. The city of Baltimore meanwhile is another high-profile victim of ransomware, which hit in May 2019 and halted some city services like water bills, permits and more, with attackers demanding a $76,000 ransom. And in 2018, several Atlanta city systems were infamously crippled after a ransomware attack extorted the municipality for $51,000.
Ransomware attacks are another layer of problems for cities already hard hit by economic losses stemming from coronavirus-induced business closures. In the case of Torrance, city officials have told local outlets that these economic losses will create a massive crater in Torrance’s city budget over the next two fiscal years, with a projected reduction of at least $45 million in tax revenues.
“This is another example of the ongoing ransomware attacks plaguing cities, states and municipalities across the country,” Kron said. “To make things worse, performing these sorts of attacks during a global pandemic is bound to impact already limited resources both financial and human in nature.”
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.