The practice of disclosing stolen data as a penalty for not paying ransom demands is just starting to heat up as the City of Torrance, California, was recently victimized by an attack using DoppelPaymer ransomware.
At the time of the attack, the hackers demanded a 100 bitcoin ($689,147) ransom for a decryptor, to take down files that have been publicly leaked, and to not release any more stolen files.
In February of 2020, the hackers behind DoppelPaymer ransomware created a website called “Dopple Leaks” that they used to publish the stolen data of victims who refuse to pay up..
In a recent update to the site, DoppelPaymer ransomware created a page titled “City of Torrance, CA” containing leaked file archives allegedly stolen from the city during the ransomware attack.
Another attack involving DopplePaymer ransomware was carried out against Mexico’s state-owned oil company, Pemex, in an attack that demanded $4.9 million in order to decrypt their files.
On Sunday, November 10th 2019, Pemex was hit with a ransomware attack that the company stated affected less than 5% of their computers. Employees reported that internal memos told them not to initially turn on their computers, but that the computers were up and running again later in the day the following Monday.
In a statement posted to Twitter, Pemex stated that they were operating normally and that there was no affect on their fuel production, supply, or inventory.
While reports initially stated that Pemex was affected by the infamous Ryuk ransomware, that is known to attack large industrial companies, leaked ransom notes and the Tor payment site confirm that it was actually the DoppelPaymer ransomware, which is a variation of the BitPaymer ransomware.
Attackers Demanded a $4.9 Million Ransom
According to the Tor payment site’s instructions for the victim, Pemex were to pay 565 bitcoins to the DoppelPaymer group, which translates to a value of almost 5 million USD at the time of the attack.
Another interesting feature of DoppelPaymer ransomware is that the payment site offers a chat feature where a victim can get support or negotiate with the ransomware developers.
The online chat for the Pmex attack is empty, which indicates that Pemex did not attempt to use it to discuss the ransom with the attackers.