DoppelPaymer Gang Leaks Files from Illinois AG After Ransom Negotiations Break Down

Cyber Security News

Information stolen in April 10 ransomware attack was posted on a dark web portal and includes private documents not published as part of public records.

The ransomware gang identified as DoppelPaymer has leaked a substantial collection of files from the Illinois Office of the Attorney General (OAG) on a server controlled by the cybercriminal group. The move came after ransom negotiations between the two parties broke down following a ransomware attack earlier this month, on April 10.

The leaked files include not only public information from court cases handled by the Illinois OAG, but also private documents that aren’t a part of the public record, according to security research firm Recorded Future, which detailed the leak in a post on its news portal The Record. The files contain personally identifiable information about state prisoners, their grievances and cases, according to the post.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.

The Illinois OAG acknowledged publicly on April 13 that its network had been compromised several days earlier, but did not go into detail about what type of attack it was or what type of information had been affected.

“In the early hours of Saturday morning, it was discovered that the office’s network was compromised,” according to a statement on the office’s website. “Since then, information technology staff and investigators from the Attorney General’s office have been working closely with federal law enforcement authorities to evaluate the extent to which the network was compromised.”

On April 21, DoppelPaymer took responsibility for the attack and released several files stolen from the Illinois OAG’s internal network as a teaser to another data dump this week after negotiations about paying the ransom stalled for unclear reasons, according to the post.

However, historically, most DopplePaymer negotiations tend to fail and reach an impasse after victims realize that paying the ransom brings legal complications, according to the post.

These complications are due to a move by the U.S. Treasury Department in December 2019 to add Evil Corp, the cybercrime group behind DoppelPaymer, to a list of foreign-sanctioned entities.

That move, which makes any payments to these attackers strictly forbidden, came after the Department of Justice charged two of the Evil Corp members following a massive federal crackdown on the group that focused on what it believed to be its leader.

“While the Treasury Department is open to approving some transactions if victims reach out and request approval, it appears the Illinois State Attorney Office has not done so,” according to the post.

DoppelPaymer, based on BitPaymer ransomware, emerged in 2019 as a significant cybercriminal threat and has been used since then to carry out a number of high-profile attacks. Visser Precision, a supplier to SpaceX and Tesla; Los Angeles County; and Kia Motors have all been victims of attacks by the group.

DoppelPaymer’s attackers initially commenced their activity by locking and encrypting files on victims’ networks, but later evolved to using threats to leak stolen data after attacks as a bargaining chip in ransomware negotiations–as well as making good on those threats.

The Illinois OAG incident comes on the heels of a similar attack and subsequent data leak by the Babuk ransomware gang of threat actors, who claimed earlier this week to have stolen more than 250 gigabytes of data from the Washington D.C. Metropolitan Police Department (MPD). The threat actors already have leaked data from the attack–including police reports, internal memos, and arrested people’s mug shots and personal details—online and said they will release more if ransom demands aren’t met.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.