A threat group spreading a ransomware variant dubbed DoppelPaymer has started published copies of files apparently copied last month from Canada’s Royal Military College in an apparent attempt to squeeze the institution into paying by proving it has real data.
One 35 MB file called “Student DB and others” and four files titled “Financial Info 7z.001” have been posted on a web site called Doppel Leaks. In addition, the posted data includes a list of 20 domain names supposedly from the institutions.
Brett Callow, a British Columbia based threat analyst for Emsisoft, has seen some of the student files and believes they are authentic. For example one appears to be a professor’s evaluation of a doctoral student’s progress and dated May 20th..
The breach of security controls was first reported on July 8 hitting both the Royal Military College (RMC) and the Canadian Defence Academy, an umbrella organization that includes RMC and several other military institutions.
At that time the website and email systems of RMC, based in Kingston, Ont., was offline after what was reported as a ransomware attack. A spokesperson for the Department of National Defence (DND) said at the time it started with a mass phishing campaign, suggesting it wasn’t targeted.
Asked for comment on Tuesday about the posting of allegedly stolen files, a DND spokesperson said it is still assessing the extent to which RMC’s data was compromised. “Given the investigation is still ongoing, we cannot comment further on the specific incident.”
DND is working with the Canadian Security Establishment’s Canadian Centre for Cyber Security, (which has the responsibility of defending federal networks) to investigate the incident and ensure all appropriate actions are taken to minimize any potential impact, the spokesperson said.
RMC expects its fall academic term will begin as scheduled Sept. 8. It has about 1,200 full-time under-graduate, 544 part-time under-graduate students, plus 310 full-time and 499 part-time students taking post-graduate courses. Most undergraduates are Officer Cadets who have military service commitments after graduation.
“Information systems personnel at RMC and the Canadian Defence Academy are also working with partners within the Department and at Shared Services Canada to ensure network operations and the essential data needed to support the successful delivery of the academic program are available to faculty, staff and students,” the DND spokesperson added. “While we do not release technical details of security measures, we can say that this cyber incident does not affect the operational capabilities or networks of the Canadian Armed Forces or its ability to perform its mandate of defending Canadians.”
The variant was first seen in the summer of 2019 by CrowdStrike, which gave it the name DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by a group dubbed Indrik Spider. However, there are a number of differences between the two strains that, at least initially, suggested or more members split from the threat group and forked the source code of both Dridex malware — created by Indrik Spider — and BitPaymer to start their own gang.
Since the creation, those behind DoppelPaymer have adopted the Maze group’s strategy of stealing data from organizations before scrambling their servers with ransomware, then threatening to publicly release the unencrypted data as a way to shame victims into paying for decryption keys.
The news site Bleeping Computer reported in February that he operators of the DoppelPaymer Ransomware launched the Doppel Leaks site that they will use to shame victims who do not pay a ransom and to publish any files that were stolen before computers were encrypted.
Among the victims was a Denver parts manufacturer called Visser Precision.
In July, cybersecurity firm Emsisoft estimated that 11 per cent of ransomware attacks this year included data theft. These days inital evidence of a ransomware attack has to assume data exfiltration has also happened, it warns. “An absence of evidence of exfiltration should not be construed to be evidence of its absence, especially during the preliminary stages of an investigation. This particularly true in the case of attacks by groups such as DoppelPaymer, Maze and REvil which are known to steal data. In these cases, the initial assumption should be that data may have been exfiltrated and potentially affected parties should be promptly notified of this possibility.”
To prevent and limit the effects of ransomware — indeed any malware — Emisisoft urges infosec teams to ensure basic cybersecurity hygiene is followed including using multi-factor authentication everywhere possible, limiting admin rights, disabling RDP if not needed and lock it down if it is, network segmentation, filtering email, disabling PowerShell when not needed and having a patch management strategy.