Ransomware Gang Releases Secret Industrial Documents

Security researchers have warned of a new ransomware campaign that targets companies handling sensitive data – and then publishes their internal files online if they do not pay.

DoppelPaymer emerged in mid-2019, but in recent weeks has published data belonging to contractors for the US Navy, Lockheed-Martin and SpaceX.

The variant emerged from the BitPaymer ransomware in June of last year, researchers say, but has added its own features, such as the expropriation and publication of targets’ data.

In addition, DoppelPaymer doesn’t initially tell compromised organisations that their data has been stolen – they only see their files online when they go to pay.

Business data

“This means that organisations might not even be aware of their data being exfiltrated,” said security firm Clearswift in an advisory.

Some of the malware developers’ ransom demands have been in excess of $1 million (£800,000), according to computer security firm CrowdStrike.

In February the attackers behind DoppelPaymer released data stolen from Visser Precision, a precision parts maker for military and aerospace companies including Lockheed-Martin, Tesla, SpaceX and Boeing.

The published documents included non-disclosure agreements between Visser and both Tesla and SpaceX, as well as a partial schematic for a missile antenna marked as pertaining to Lockheed Martin.

The group published more of Visser Precision’s documents through late March, and as of the current writing the website containing the documents continues to be publicly available.

Denver, Colorado-based Visser Precision confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft of data”, and said it “continues its comprehensive investigation of the attack”.

Mitigation

Lockheed Martin said the company was “aware of the situation with Visser Precision and are following our standard response process for potential cyber incidents related to our supply chain”.

Other targets have included Kimchuk, a medical and military electronics maker that makes nuclear modules for the US Navy, as well as the Chilean government and Mexico’s state oil company Pemex.

Clearswift noted that DoppelPaymer spreads via password-protected Word files attached to email messages.

“Organisations can build policy to only allow password-protected documents from trusted senders, which will go a long way in mitigating against DoppelPaymer,” the company said.

Europol recently warned that ransomware developers have increased their activity during the coronavirus epidemic.