Ransomware Now Leaking Stolen Documents

Originally, ransomware didn’t involve any data theft. Malware would encrypt the data on your computer, and demand a ransom for the encryption key. Now ransomware is increasingly involving both encryption and exfiltration. Brian Krebs wrote about this in December. It’s a further incentive for the victims to pay.

Recently, the aerospace company Visser Precision was hit by the DoppelPaymer ransomware. The company refused to pay, so the criminals leaked documents and data belonging to Visser Precision, Lockheed Martin, Boeing, SpaceX, the US Navy, and others.

Tags: , , , ,

Posted on April 14, 2020 at 7:48 AM15 Comments

Comments

Sancho_P April 14, 2020 9:08 AM

Much better than bug bounty programs.
Even if they pay the breach (not the data) should be made public.
Costs + public shaming are the only way (incentive) to improve.

Павел April 14, 2020 12:43 PM

Misleading title…

Is there any confirmation out there this is functionality of the ransomware? It may not be the “ransomware” itself that is exfiltrating any data but the adversary who whisked away the docs while inside the environment.

All articles describing this incident only describe that documents were made available online but no analysis of the ransomware functionality.

Even Krebs article described this as actions by the ‘crew’ not the ransomware.

Matt April 14, 2020 2:12 PM

With the leak containing government data, all the more argument for DoD pushing its CMMC certification agenda. You are only as secure as the weakest point in your supply chain.

Ron April 14, 2020 2:28 PM

This is going to be especially troublesome (and costly) for governments and private/public medical facilities that become compromised. The lawsuit awards for HIPAA privacy violations will be staggering.

GV April 14, 2020 2:59 PM

I am mystified by your reference to a Brian Krebs article followed by The Register piece link that wasn’t authored by Krebs or even mentioned him. I expected the link to take me to the Krebs article.

La Abeja April 14, 2020 8:02 PM

@Ron

The lawsuit awards for HIPAA privacy violations will be staggering.

Attorneys fees, class action certification in federal court, and an offer of two years free credit monitoring services to eligible affected bachelors and bachelorettes.

Patrons of “family” medical practice hire the same attorneys to have their unwanted family members “committed” to a psychiatric ward or mental institution, and ensure gun rights are revoked for life even if they let the patient out if the family is unable to pay for the full lifetime institutionalization.

metaschima April 14, 2020 10:21 PM

This is actually an excellent article on this malware:
https:// lifars.com/2019/11/analysis-of-dridex-bitpaymer-and-doppelpaymer-campaign/

It seems that in order to exfiltrate the data they first use Dridex malware, and once they have the data, they again use Dridex to launch DoppelPaymer or technically any other cryptoransom malware.

RealFakeNews April 15, 2020 4:25 AM

Which part of “internet” are people struggling with?

Take your systems offline and use others if you need internet access.

Seriously…it’s 2020. Why are we still having this basic discussion?

La Abeja April 15, 2020 2:54 PM

Ransomware Now Leaking Stolen Documents

Originally, ransomware didn’t involve any data theft. Malware would encrypt the data on your computer, and demand a ransom for the encryption key. Now ransomware is increasingly involving both encryption and exfiltration. … further incentive for the victims to pay.

We’ve got to step back and look at the big picture here.

These criminals are bad guys. Really, really bad guys.

A ransom? Or even the suggestion of a ransom? It’s old-fashioned. Charles Lindbergh’s baby. They’re kidnapping children: a mafiosa from the clan is showing up in court with falsified birth certificates, divorce papers, restraining orders, excessive jewelry, fraudulent demands for child support and alimony, and so on and so forth.

So now we’ve got all these federal employees running around with SF-86 // SF-87 forms, and they’ve got the proper clearance and fingerprint background checks to work for the government, psychological profiles, polygraph lie detector tests. That was the OPM under Katherine Archuleta. All that information got hacked from an unclassified computer system.

There’s an “issue” matrix for those people to work for the government. Federal government workers are supposed to be “blackmail-proof”: if they’re “gay”, they are required to be “out” about it, or else the crooks are threatening to mail explicit photos to their wives.

What if you were Ring-cammed in your bedroom by your parents as a teenager? Then they pull the whole “Clockwork Orange” // “Screwtape Letters” bit.

And that’s if you’re a federal employee. So what about the rest of us? If I apply to work at a big corporation, then a big boss from “corporate” comes down with an order to fire me under the table, or scare me, or cause me to leave town, or even put out a murder-for-hire commission on my head.

So can I work for a small business? No again. The owner of the small business receives veiled threats and ominous warnings about the new hire.

I’m going to start a business and become self-employed now? Deal with the IRS, city hall permitting, licensure, regulation, insurance, bonding, payroll taxes, etc. Meanwhile city hall is scheming and planning to put me in the mental hospital, prison, or jail no matter what, if they fail at their outright plans to murder me in open day.

La Abeja April 15, 2020 3:02 PM

@Pavel

It may not be the “ransomware” itself that is exfiltrating any data but the adversary who whisked away the docs while inside the environment.

How much ransomware do I need to buy a loaf of bread in town?

Howo April 15, 2020 7:12 PM

Costs + public shaming are the only way (incentive) to improve.

I agree with you. And I still condemn leaking private data of others.

Take your systems offline and use others if you need internet access.
Seriously…it’s 2020. Why are we still having this basic discussion?

Because almost all Internet users have no idea how operating systems (and other software) work, how buggy they are, and how sloppy software engineers and programmers can be.

Jesse Thompson April 16, 2020 12:13 AM

@RealFakeNews

It’s just the Sandboxing Cycle.

But that said, ultimately the value of information is at least partly a function of how accessible it is.

If it didn’t need to be online, then what use would it be to anyone offline either? The data might as well just be incinerated at that point.

That said, people do need to begin viewing data as a powerful liability. One should security incinerate any piece of data they no longer require access to.

Clive Robinson April 17, 2020 8:34 AM

@ BAE,

So where was the weak point? In the supply chain. Some little company, in some backwater downunder. Didn’t this happen before? Yeah that’s right, back in the’80s.

Supply chain : check
Small company : check
In nowheresvil : check
Happen befor : check…check
Back in the : 80’s 90’s 00’s 10’s 20’s…

The answer to why is,

    We did not learn the first time or the thousands afterwards…

The reason is,

    We ignore our history, we don’t write it down, we don’t teach it, we are thus condemned to reliving it over and over.

The dull reason is rather than accept the tools we use are imperfect as most engineers do. Thus learn to live within the capabilities of what we have we keep throwing more on top hoping to abstract that which is imperfect into a flight of fancy which like all dreams are perfect, including those “perfect nightmares” which are all we can remember into the future and just keep trying to run away from…

We now have CPU’s with such complex ISA’s that it’s beyond most peoples abilities, even those who designed them only know one small part… We then have this huge gulf on the other side of which is a language so bereft of usefullness that it has less power than the ISA’s of early 8 bit CPU’s used in home computers and games machines of the late 1970’s.

This language that even it’s designers admit is at best not well designed forms the foundation of nearly other language since, be it first hand or multihand. Beneath nearly all lurks C…

The only advantage of C is that you can learn the base language bad as it is once, in a day or two then spend much more time learning how to deal with memory handeling abstractions for atleast as long as it takes to learn the standard libraries…

But somebody decided this abstraction was not sufficient so they dropped Objects on top and like a triangular object it did not fit well into a round let alone spherical hole…

Hands up anybody that knows all the C++ libraries sufficiently well to use them in their entirety without using the documentation?

Be honest now…

The hidden problem with C++ is C and C’s hidden problem is memory, and nearly all security faults not using a human as a stepping stone are effectively memory access faults.

So what did those software people do? They came up with “complications” from stack canaries through to Address Space Randomization mostly written in C or above. And guess what, they don’t realy fix anything as first RowHammer then Spector and Meltdown showed. However those “memory” issues were known back in the 1950’s and they knew back then that if you could get in what we now call the “computing stack” below the level you develop and implement your memory security then you have no security…

That is all the security at the memory layer and above uses the notion that “The memory won’t change”, as the fundemental foundation stone on which all the security is adsolutly dependent.

Just changing a single bit in one word in “core memory” can break all of the system security…

And all those supposadly clever features like Intel’s SGX and other “secure enclaves” all fail if you can get below the memory level in the computing stack directly or indirectly. As predicted all those “go faster” additions in overly complex CPU’s open up “side channels” as the price of squeezing that extra “Specmanship”… As researchers are showing it truly is “The Xmas gift that keeps going”, first with the hardware, then with the work arounds for the hardware faults.

I hope people are finally getting the message that,

What we have can not be fixed!

At best we can mitigate, and oddly the closer to the failing the mitigation is, the more likelyvit is to fail to another attack… Mostly because the mitigation tries and fails at the “Security-v-Efficiency” issue. As a rough rule of thumb the more efficient something is made the less security it has, generally becausevit opens up the bandwidth of side channels making it effectively transparent to attacks. Yes there are ways you can design systems to be efficient and then close down the side channels, but generally only the side channels you can predict.

As I point out from time to time what many think as a “one way process” very frequently is not. Because we add capabilities for “Errors and exceptions” and they propergate in the opposite direction to the data flow, right back through our mitigations such as firewalls and data diodes all the way back up into user processes…

These things have been known again from WWII and arguably back more than a century and a half to the Victorian era and the likes of the telegraph and telegraph relays…

But we don’t teach such history to students because apparently “they don’t need to know”!!! I guess I could liken it to not teaching about “metal fatigue” and other “work hardening” issues to those designing all the infrastructure, vehicles, buildings and just about everything else the failure of which would most likely cause a “loss of life”. Or not teaching chemists and others about the problems with “acids and bases”…

One of the things that seperate real engineering from other endevors is learning about why things fail and taking it on board and accepting responsability for them. This is what happened all be it reluctantly with “boiler making” where artisanal crafting gave way to science based design. Thus engineers take responsability for designing systems and their components so they either can/will not fail, or will fail in a safe way…

Anyone know of a Computer Science or Computer Engineering course that realy teaches the history of computer failures, the hard lessons learned in detail and how to design them out of future systems?

Brendan April 22, 2020 3:09 AM

I am sure that initially this tactic was applied accidentally. It seems Maze was the pioneer in blackmail. And since this tactic turned out to be effective, others as DoppelPaymer, Sodinokibi, Nemty also followed this way. I assume it will be even worse further.

Josh Lee July 6, 2020 10:12 AM

Ransomware has become even more dangerous since the COVID-19 pandemic began. We live in dangerous times when it comes to cybersecurity. That’s why having a ransomware protection solution is important. I was able to get one for me and my employees and now I feel like we’re protected.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.