After negotiations broke down between Dopplepaymer, a ransomware gang, and the Illinois Office of the Attorney General, the criminal group behind Dopplepaymer leaked a large collection of files stolen from Illinois courts. This attack took place on Saturday April 10th. The incident was disclosed on April 13th, however it wasn’t confirmed as ransomware until April 21. While there has been no definitive answer given as to why negotiations broke down, some ransomware negotiations with DopplePaymer have broken down in the past when victims realize that paying the ransom could be illegal. The US Department of Treasury added the criminal group known as Evil Corp to the list of sanctioned entities, and cautioned US businesses not to provide financial support to the group. Since some analysts have suggested that DopplePaymer may have been created by Evil Corp, victims may be hesitant to pay ransom demands. Courts and other law enforcement agencies are even less likely to hand over money to support criminal operations, since it is counterproductive to their mission and responsibilities to protect the public from crime.
There are several ways that DopplePaymer could have gained access to the network, so Binary Defense recommends that organizations cover all the likely scenarios by securing RDP and VPN servers, helping employees learn to recognize threats coming from email messages, and deploy security monitoring software to every workstation and server. To mitigate the damage caused by ransomware, practice frequent backups, along with following the 3-2-1 backup rule: keep 3 copies of your data, using 2 different storage types, with at least one copy stored offsite. While this doesn’t prevent data theft, it at least prevents loss of data following encryption. Additionally, Binary Defense recommends deploying a 24/7 SOC monitoring solution, such as Binary Defense’s own Security Operations Task Force, to quickly recognize and stop attacks in the early stages, before they do extensive damage.