DoppelPaymer ransomware gang now cold-calling victims, FBI warns

FBI says DoppelPaymer ransomware gang is harassing victims who refuse to pay, threatening to send individuals to their homes.

FBI is warning of a new escalation in the extortion activities of the DoppelPaymer ransomware gang, the operators have been calling victims, threatening to send individuals to their homes if they don’t pay the ransom.

According to a private industry notification alert (PIN), sent by the FBI to private organizations, the Bureau is aware of extortion activities that have been happening since February 2020.

Early this month, Evgueni Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident Response, told ZDNet that multiple ransomware gangs are cold-calling victims if they don’t pay the ransom and attempt to restore from backups. This criminal practice is adopted since August by several gangs, including Sekhmet, Conti, and Ryuk.

The FBI PIN, Number 20201210-001, was issued on December 10, 2020, and provides details about Doppelpaymer’s criminal activity and the sectors on which the group focuses (Healthcare, Emergency Services, and Educational Institutions).PIN Number
20201210-001

The report also details additional tactics, techniques, and procedures associated with the threat, including intimidation through phone calls.

“As of February 2020, in multiple instances, DoppelPaymer actors had followed ransomware infections with calls to the victims to extort payments through intimidation or threatening to release exfiltrated data. In one case an actor, using a spoofed US-based telephone number while claiming to be located in North Korea, threatened to leak or sell data from an identified business if the business did not pay the ransom.” states the FBI’s PIN. “During subsequent telephone calls to the same business, the actor threatened to send an individual to the home of an employee and provided the employee’s home address. The actor also called several of the employee’s relatives.”

The agency then goes on to detail one particular incident where threats escalated from the attacked company to its employees and even relatives. From the PIN alert:

The threat actor threatened to send an individual to the home of an employee and provided the employee’s home address.

Clearly, threats of violence are not realistic and only aim at making pressure on the victims.

The alert also includes the following recommended mitigations to prevent ransomware attacks:

• Ensure backups are secure and are disconnected from the network at the conclusion of each backup session.
• Audit user accounts regularly, particularly Remote Monitoring and Management accounts that are publicly accessible. Patch operating systems, software, firmware, and endpoints.
• Monitor inbound and outbound network traffic; set alerts for data exfiltration.
• Apply two-factor authentication to user login credentials, receiving responses by text rather than email as actors may be in control of victim email accounts.
• Implement least privilege for file, directory, and network share permissions.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

[adrotate banner=”5″]

[adrotate banner=”13″]