In March, the city of Torrance[RP1], California reported a cyber-attack. While at the time the city government stated that no “public personal data” was affected, the threat group behind the DoppelPaymer ransomware recently published over 200GB worth of files stolen from Torrance’s 150 servers and 500 workstations. DoppelPaymer was reportedly asking for a ransom of 100 Bitcoin (BTC) or $680,000 USD.
[RP1]I believe City should be capitalized here because it is referring to the government body which reported the attack, not the whole city as a geographic region.
DoppelPaymer is typically distributed by Dridex, which is an email-based banking trojan that also doubles as a loader for other malware, including ransomware. As the primary method of infection from emails is malicious document macros, Binary Defense recommends using extreme caution when a document asks to “Enable Content,” which will trigger the malicious macros.
While Torrance had backups, the backups were not isolated from the rest of the network, which leads to the backups also being encrypted when the rest of the servers and workstations were encrypted. Binary Defense recommends following the 3-2-1 backup rule:
• 3 backups
• 2 stored on physical media
• 1 stored off-site
This will ensure that even if one or even two backups are destroyed, there’s still the 3rd backup to save the day.
Even when encrypted files are able to be restored from backups, if attackers have stolen sensitive information there is still a risk of extortion or long-term damage to organizations. In order to avoid that situation, organizations should continuously monitor network traffic, workstations, and servers for signs of attacker behaviors. By quickly detecting intrusion activity and putting a stop to it in the early stages, the attackers are denied to opportunity to collect sensitive data or expand their access to multiple workstations and servers across the network. Binary Defense provides services to detect threats and respond 24 hours a day, seven days a week to protect clients from ransomware and other threats.