It has been reported that an American manufacturer which works with SpaceX and Tesla is being extorted by cyber criminals who are leaking documents relating to these companies. The cyber crime group known as DoppelPaymer has already leaked non-disclosure agreements signed between Visser Precision and the Elon Musk-led companies SpaceX and Tesla. More documents stolen from Visser’s network will be released unless the Denver-based firm pays a ransom, the criminals have claimed.
It has felt like ransomware incidents are ramping up once more, with a number of attacks over the past few weeks. This DoppelPaymer attack has been the most high profile of those, partly because of the organisation being held to ransom – Visser, a parts manufacturer to major brands such as Boeing, Tesla and SpaceX – and partly because of DopplePaymer’s nature. It’s file-encrypting malware which first exfiltrates a company’s data and only discloses the data theft when that company goes to the ransomware’s website to pay the ransom.
This means that organisations might not even be aware of their data being exfiltrated, a highly vulnerable place to be in. DoppelPaymer relies on employees opening the email message, which will contain a password so that the user can open the file – once this has happened then the ransomware can move across a network and take all the data it wishes. But these types of file are relatively easy to defend against. Organisations can build policy to allow password protected documents only from trusted senders, although ideally they should move to use email encryption as its more secure.
Ransomware continues to pose a significant risk to organisations and individuals worldwide because it is a lucrative way for cyber criminals to make lots of money – fast. For these reasons, it is expected that ransomware attacks will continue to grow until the financial incentive is significantly diminished. DoppelPaymer is not different to any other ransomware in that it encrypts data and forces victims to pay before the data is decrypted. For any organisation or individual, the advice is always to protect yourself using multiple layers of defence, including: regular backups of data and always store it in a safe place, ensure that server and endpoint devices have the latest anti-malware software protection that can detect malicious code, and ensure that only trusted whitelisted applications are allowed to run on endpoint devices.
Because DoppelPaymer exfiltrates data to a remote internet server, it\’s also crucial to ensure that outbound connections leaving the organisations are scanned to detect nefarious activities. At the endpoint , application whitelisting is another effective way to detect malicious applications on top of running conventional anti-malware software. As an extra precaution, taking physical backup of your data on a regular basis is key. Care must be taken to ensure that data is backed up offline so that if an endpoint device is infected, a swift recovery is possible.
With ransomware it is advisable to think about the worst case scenario and also conduct regular drills to ensure the business continuity processes implemented are effective and working as expected.
For organizations whose main asset is the confidential information that they produce and maintain, data exfiltration is their biggest nightmare. There is no practical way to prevent attackers from reaching employees and getting them infected. The only way to keep confidential information safe is to isolate access to it. Companies that use privileged access to let their employees use one operating system, which is less restricted for general use, assume they can get infected. Access to confidential information, however, is done through a separate, privileged operating system, which is fully isolated from all attack vectors. While the two operating systems run on a single physical machine in a fashion that is transparent to the user, they are completely segregated from one another, so an attacker on the general operating system is not even aware of the privileged one, let alone being able to access it.
This particular ransomware incident is disturbing for a number of reasons. First, the hackers deployed the new DoppelPaymer ransomware, which combines malware to initially extract data from documents and then encryption to render the files inaccessible. Second, Visser looks to deal with a number of high profile technology and defense contractors, which could mean that they are now in possession of sensitive information. Finally, the incident begs the question of how DoppelPaymer made its way into the Visser system and located files and information where the data was clearly not encrypted or tokenized. DoppelPaymer is a prime example of how sophisticated data-stealing ransomware is becoming, which means that companies of all sizes need to formulate their data security approaches with this type of attack in mind.
Ransomware such as DoppelPaymer is becoming more favoured by criminals because not only does it encrypt files like conventional ransomware, but also steals the files before doing so. That way, even if the organisation has backups in place, or can resume operations, the threat of leaking or selling commercially sensitive data and intellectual property will remain.
Not only does this approach make attacks even more effective, but also widens the potential targets that criminals can attack that will feel compelled to pay a ransom.
The best option for organisations is to try to ensure that the malware doesn\’t get into the system to begin with. While there is no one technique that will work in all scenarios, having a layered set of controls to make it difficult for criminals to be successful will help reduce the risk. This includes patching software, implementing multifactor authentication, and providing regular security awareness and training to employees.