The DoppelPaymer ransomware group has claimed responsibility for a hack of the online systems of the Office of the Chief Justice.
A leak posted to the group’s site on the dark web specifically mentions the Internet address https://www.judiciary.org.za/.
“Below you can find private data of the companies which were hacked by DoppelPaymer,” the group’s site states.
“This companies decided to keep the leakage secret. And now their time to pay is over.”
A media report has linked the purported DoppelPaymer attack on the Office of the Chief Justice to an attempt to steal money from the Guardian’s Fund, which is administered by the Department of Justice and Constitutional Development.
However, Emsisoft threat analyst Brett Callow told MyBroadband that he has never heard of DoppelPaymer or any other ransomware group attempting to directly steal money.
“Extort it, yes; steal it, no,” Callow said.
Ministry of Justice spokesperson Chrispin Phiri also stated that it is not clear at this stage whether the attempt to transfer money from the Guardian’s Fund was a cyberattack.
Crucially, Phiri said that the Department of Justice and Constitutional Development did not receive a ransom demand.
This suggests that the attack on the systems of the Office of the Chief Justice, for which DoppelPaymer is taking credit, and the attempt to steal money from the Guardian’s Fund may be two separate incidents.
The Guardian’s Fund receives and manages money on behalf of people who are legally incapable or do not have the capacity to manage their own affairs. This includes minors, unborn heirs, and missing or absent persons.
The money in the Guardian’s Fund is invested with the Public Investment Commission and audited annually. The High Court appoints a guardian, who can then claim maintenance for the person whose money is held in the fund.
DoppelPaymer may have sensitive data from the Office of the Chief Justice
Callow said that the real question is which, if any, of the Office of the Chief Justice’s systems were accessed and encrypted, and what information did those systems hold?
“Because DoppelPaymer may now have all that information,” said Callow.
“Encryption is the very last stage of the attack. Actors have access to networks for an average of 56 days before they encrypt and they use that time to exfiltrate data, amongst other things.”
It sometimes happens that an organisation will block the actual ransomware and prevent their files from being encrypted, but by that point, the attackers already have its data.
Callow said that ransomware is becoming increasingly problematic.
“In the past, small businesses were the primary targets with the demands averaging only $5,000 USD in 2018,” Callow stated.
“Today, while small businesses are still targeted, threat actors are increasingly focused on large multinationals and government entities with the average demand having increased to somewhere between $150,000 and $250,000.”
This means that there are now better-resourced and more motivated cybercriminals than ever before.
“In addition to putting individuals’ personal information at risk, these incidents also represent a risk to legal processes, companies’ intellectual property and even national and election security,” Callow said.
“We believe that the only solution to the problem is to ban ransom payments, and this is something we recently called for. Simply put, if the flow of money stops, the attacks will stop.”
Emsisoft’s call for a ban on ransomware payments echoes the sentiments of the former head of the UK’s National Cyber Security Centre, Ciaran Martin.
“If I had one policy card to play in the next year, I would ask for a serious examination of whether we should change the law to make it illegal for organizations in the UK to pay ransoms in the case of ransomware,” Martin stated.
“The case is not a slam dunk, and if the answer is no, then we should think of something else to counter ransomware, the single biggest contemporary scourge in cyberspace.”
Office of the Chief Justice – No comment
MyBroadband asked the Office of the Chief Justice for details about the attack on its systems, but its spokesperson did not respond by the time of publication.