DoppelPaymer ransomware group leaked a massive collection of files from the Illinois Office of the Attorney General. The Office has decided not to pay the ransom which explains the reasoning for the leak we’re now seeing.

The PII (personal identifiable information) relates to state prisoners, grievances, court files, and cases. The ransomware attack on April 10 was disclosed April 13.

DoppelPaymer negotiations usually don’t get very far due to sanctioned entities by the Department of Justice. Since many security researchers link the DoppelPaymer ransomware to the sanctioned Evil Corp group, paying DoppelPaymer requests can result in fines or further legal implications.

DoppelPaymer derives from a BitPaymer ransomware and became a critical threat in 2019 as they’ve successfully carried out attacks on a number of high-profile victims. Their initial tactics were locking and encrypting files on victim machines, but they’ve changed the approach to a more popular tactic among all threat actors of threatening to leak stolen data.

DoppelPaymer uses a tool called Process Hacker in order to terminate services and security protocols, servers, backups, and software to impair defenses and evade detection.

SpearTip’s engineers specialize in incident response to help organizations steer clear of cyber threats. If your business endures an attack, call our security operations center. We have engineers ready to assist with data recovery, threat mitigation, and overall IT remediation. Your data should be viewed as a valuable asset to the company, so it’s crucial to recover and protect it.

In addition to our incident response capabilities, we provide organizations with continuous monitoring through our security operations as a service (SOCaaS). There is no comparison to being able to communicate with highly-technical, certified engineers when your organization faces a cybersecurity issue. Attacks on government agencies at the local and state levels have been relevant lately as Babuk ransomware operators attacked a DC police department and threatened to release the data they exfiltrated.

Our team will continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.