Threat Watch

DoppelPaymer Claims That They Are Behind Attack on Newcastle University

The UK research university Newcastle has been attacked with ransomware. The university stated that it will take them several weeks to get their systems back online due to the attack. The DoppelPaymer ransomware gang breached the network of the university on the morning of August 30th. All university systems were affected and are either unavailable or available with limitations. Newcastle has not yet decided if they need to require password resets for all accounts. The university has not stated that DoppelPaymer was behind the attack, but the ransomware gang posted examples of files they claim to have stolen from Newcastle University on their website. Typically, DoppelPaymer has high ransom requests because of their ability to infect thousands of systems on their victims’ networks.

ANALYST NOTES

DoppelPaymer got its name from BitPaymer, which shared a vast amount of its code that was added to the DoppelPaymer ransomware. In November of 2019, the ransomware gang infected Mexico’s state-owned oil company and asked for a ransom of $4.9 million worth of Bitcoin, which is higher than the average ransom. It was not stated if Newcastle paid the ransom or if they intend to, but with the announcement of their systems being down and some files having been posted to the DoppelPaymer website, that may indicate that the university is not planning to pay. If they do not pay the ransom, the threat actor may release or auction off the data that they stole. Binary Defense recommends following the 3-2-1 backup rule: 3 backups, 2 stored on physical media, and 1 stored off-site This will ensure that even if one or even two backups are destroyed, there is still a third backup to save the day. Even when encrypted files can be restored from backups, if attackers have stolen sensitive information there is still a risk of extortion or long-term damage to organizations. To avoid that situation, organizations should continuously monitor network traffic, workstations, and servers for signs of attacker behaviors. By quickly detecting intrusion activity and putting a stop to it in the early stages, the attackers are denied the opportunity to collect sensitive data or expand their access to multiple workstations and servers across the network. Binary Defense provides services to detect threats and respond 24 hours a day, seven days a week to protect clients from ransomware and other threats.