On Monday, November 23rd, Delaware County in Pennsylvania announced that it had suffered a data breach affecting multiple government networks, but not affecting emergency services or the board of elections. Sources have told BleepingComputer that the breach is associated with DoppelPaymer ransomware as of late. Delaware County has since paid the ransom of $500,000 USD, reportedly reimbursed through a cyber insurance policy. DoppelPaymer, in almost every documented case, is dropped by Dridex before encrypting a network. Dridex, a banking trojan, often deploys DoppelPaymer to increase the payout for high-value targets. This news comes on the heels of other high-profile attacks on local governments within the past few months, including the City of Torrance in California and Hall County in Georgia.
When Dridex has landed in an environment, the threat actors use Mimikatz on systems on which they have local administrator or SYSTEM level access to gather user credentials and tokens from memory, then use those credentials to move laterally across the affected enterprise network. Because of the ease of gathering credentials this way, ransomware offers a low effort to payout ratio as compared to Dridex’s method of injecting code into webpages through browsers to steal online banking credentials. Taking steps to block Mimikatz with measures such as removing Windows debug permissions from administrator accounts, enabling LSASS protections, disabling wdigest, disabling credential caching, and utilizing the “Protected Users” AD group leveraging credential guard can all create barriers to prevent attackers from effectively using Mimkatz to gather credentials. If the visibility is available, looking for anomalous processes that have gained debug privileges can also assist in detecting these kinds of attacks. Catching attacks early through continuous monitoring and response by skilled analysts in a Security Operations Center is the last, best line of defense against cyber threats.
While the decision to pay or not pay a ransom is a complicated situation, taking proactive measures to prevent this kind of situation and payout is a worthwhile investment. If an organization has not previously experienced ransomware’s crippling effects, it can be difficult for decision-makers to correctly judge the risk and impact that it has. As more companies pay higher ransom demands on a regular basis, criminals become more motivated to pay botnet operators and others higher prices for access, oftentimes offering a share of the final ransom payment as incentive. The likelihood of ransomware affecting any business grows every day as the botnets with the initial spam campaigns grow more widespread, and employees continue to respond to the campaigns by downloading and opening malicious document files on workstations. With the increase in the prevalence of ransomware, the importance of taking measures to protect one’s enterprise also increases.