Image: Sebastiaan Stam
The US Federal Bureau of Investigations says it is aware of incidents where the DoppelPaymer ransomware gang has resorted to cold-calling companies in order to intimidate and coerce victims into paying ransom demands.
The incidents have been happening since February 2020, the FBI said in a PIN (private industry notification) alert, a type of security advisory the Bureau sends to the US private sector on a regular basis to inform them of the latest cyber-security developments.
The FBI PIN alert, sent on December 10, confirms a ZDNet report from December 5 that detailed similar cold-calling tactics used by four other ransomware groups: Sekhmet (now defunct), Maze (now defunct), Conti, and Ryuk.
But while our reporting tracked down phone threats made by ransomware groups to September this year, the FBI says this tactic was actually first seen with the DoppelPaymer gang months before.
“Doppelpaymer is one of the first ransomware variants where actors have called the victims to entice payments,” the FBI said.
“As of February 2020, in multiple instances, DoppelPaymer actors had followed ransomware infections with calls to the victims to extort payments through intimidation or threatening to release exfiltrated data,” it added.
The agency then goes on to detail one particular incident where threats escalated from the attacked company to its employees and even relatives. From the PIN alert:
“In one case an actor, using a spoofed US-based telephone number while claiming to be located in North Korea, threatened to leak or sell data from an identified business if the business did not pay the ransom. During subsequent telephone calls to the same business, the actor threatened to send an individual to the home of an employee and provided the employee’s home address. The actor also called several of the employee’s relatives.”
Threats of violence, as in this case, are usually empty. On the other hand, threats to release or sell the data are not.
The DoppelPaymer gang is one of more than 20 ransomware gangs that operate leak sites where they publish data from companies who refuse to pay the ransom — as a form of revenge.
In many cases, companies ignore these threats and choose to restore from backups, but there are also known cases[1, 2] where companies chose to pay to prevent sensitive information from being released online.
In its DoppelPaymer PIN alert, the FBI recommends that victims secure their networks to prevent intrusions in the first place, and in the case of an attack, recommended that victims notify authorities and try to avoid paying the ransom as this emboldens attackers to carry out new intrusions, enticed by the easy profits they’re making.