The actors behind the DopplePaymer ransomware recently released internal files that they claim to have stolen from Foxconn North America. Since Thanksgiving weekend, Bleeping Computer has been following reports a potential attack against Foxconn. With these recent published files Bleeping computer has also learned that the current ransom demand is $34,686,000 USD. Based on the information available, Foxconn has opted not to pay the ransom and instead will rebuild the affected systems.
The attack’s scope allegedly covers 1,200 to 1,400 servers with 20-30 TB of backups being deleted. The DopplePaymer group reportedly exfiltrated 100GB of data for further extortion, which will more than likely be used against Foxconn in the future.
Analyst Notes
DopplePaymer, in almost every documented case, is dropped by Dridex before encrypting a network. Dridex, a banking trojan that is also used as a delivery mechanism for other malware, often deploys DoppelPaymer to increase the payout for high-value targets. This news comes on the heels of other high-profile attacks on local governments within the past few months.
After Dridex has landed in an environment, the threat actors typically use Mimikatz on systems on which they have local administrator or SYSTEM level access to gather user credentials and tokens from memory, then use those credentials to move laterally across the affected enterprise network. Because of the ease of gathering credentials this way, ransomware offers a low effort to payout ratio compared to Dridex’s method of injecting code into webpages through browsers to steal online banking credentials.
Taking steps to block Mimikatz with measures such as removing Windows debug permissions from administrator accounts, enabling LSASS protections, disabling wdigest, disabling credential caching, and utilizing the “Protected Users” AD group are all best practices to reduce the damage that attackers can do and increase the time that defenders have to detect an intrusion by forcing the attacker to attempt several methods of gaining administrator access. Leveraging credential guard can all create barriers to prevent attackers from effectively using Mimkatz to gather credentials. If the visibility is available, looking for anomalous processes that have gained debug privileges can also detect these kinds of attacks. Catching attacks early through continuous monitoring and response by skilled analysts in a Security Operations Center is the last, best line of defense against cyber threats.
References:
https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/
https://isc.sans.edu/forums/diary/Mitigations+against+Mimikatz+Style+Attacks/24612/
