[BreachExchange] DoppelPaymer Ransomware hits Los Angeles County city, leaks files

Destry Winant destry at riskbasedsecurity.com
Thu Apr 23 10:14:42 EDT 2020


 The City of Torrance of the Los Angeles metropolitan area,
California, has allegedly been attacked by the DoppelPaymer
Ransomware, having unencrypted data stolen and devices encrypted.

The attackers are demanding a 100 bitcoin ($689,147) ransom for a
decryptor, to take down files that have been publicly leaked, and to
not release more stolen files.

The City of Torrance is a suburb of Los Angeles located in the South
Bay along the Pacific coast, with a population of approximately
150,000 people.

Top ArticlesState‑backed phishing targets govt employeeswith fast food lures

In February 2020, DoppelPaymer created a site called "Dopple Leaks"
that they used to publish the stolen data of victims who refuse to pay
a ransom.

In a new update to this site, DoppelPaymer has created a page titled
"City of Torrance, CA" containing numerous leaked file archives
allegedly stolen from the City during the ransomware attack.

Data leaked on DoppelPaymer site

Based on the names of the archives, this data includes city budget
financials, various accounting documents, document scans, and an
archive of documents belonging to the City Manager.

In the past, DoppelPaymer has sold stolen data on the dark web and
hacker forums to "cover some costs" of their attacks.

200 GB worth of files allegedly stolen

In an email to BleepingComputer, the DoppelPaymer operators stated
that in an attack on March 1st, they erased the City's local backups
and then encrypted approximately 150 servers and 500 workstations.

As part of the attack, they also claim to have stolen approximately
200+ GB of files.

In a text file shared with BleepingComputer listing all of the files
they claim to have stolen, it comes out to 269,123 files throughout
8,067 directories.

To receive a decryption key, DoppelPaymer is demanding 100 bitcoins or
approximately $680,000 at current prices.

In March, local media reported [1, 2] of a cyberattack on the City of
Torrance. At that time, the City stated that no "public personal data"
was affected.

DoppelPaymer also previously attacked the Mexico's Pemex Oil November
2019 where they demanded a $4.9 million ransom.

BleepingComputer has contacted the City of Torrance to confirm the
attack but has not heard back at this time.

More information about the BreachExchange mailing list