The DoppelPaymer ransomware group has released data which it said it exfiltrated during an attack on the systems of the Office of the Chief Justice in South Africa.
DoppelPaymer first claimed responsibility for the attack towards the end of September. It initially only posted two files as proof that it had extracted data.
The group’s site on the dark web has since been updated with links to a 234MB archive of documents purportedly taken from compromised machines within the Office of the Chief Justice.
DoppelPaymer’s usual routine is to break into vulnerable systems, extract potentially valuable data, then encrypt the data on the compromised machines and hold them to ransom.
The group therefore has two angles to try and extort money from its targets: pay to regain access to your data, and pay so that they do not post the stolen data to the Internet.
A message at the top of the group’s site on the dark web states its intention to extort money from its targets:
“Below you can find private data of the companies which were hacked by DoppelPaymer. These companies decided to keep the leakage secret. And now their time to pay is over,” it states.
Given that DoppelPaymer has started posting data from this attack to the dark web, it suggests that the Office of the Chief Justice has declined to pay the ransom.
No good options
“Organizations faced with a data exfiltration situation are without good option,” Emsisoft threat analyst Brett Callow told MyBroadband.
“Whether they pay or not, they’ve had a data breach. Paying the demand will simply get the organization a promise that the stolen data will be destroyed — but, as that promise is coming from criminals, it carries very little weight.”
Callow said that whether an attacker actually destroys the data after you pay them is something only they know.
“I suspect they do not,” Callow warned.
“Why would a criminal enterprise destroy data that it may be able to further monetize at some future date?”
Callow said that ransomware in general is becoming increasingly problematic.
“In the past, small businesses were the primary targets, with the demands averaging only $5,000 USD in 2018,” stated Callow.
While small businesses are still targeted, Callow said that attackers have become more focused on large multi-nationals and government entities. He said that the average ransom demand has also increased to somewhere between $150,000 and $250,000.
“As a result, we have a better resourced and more motivated cybercriminals than ever before,” Callow said.
In addition to putting individuals’ personal information at risk, Callow said that incidents like these also represent a risk to legal processes, companies’ intellectual property, and even national and election security.
“We believe that the only solution to the problem is to ban ransom payments,” said Callow.
MyBroadband asked the Office of the Chief Justice for comment. A spokesperson asked for a link to the data posted by DoppelPaymer, but provided no further feedback.