DoppelPaymer ransomware operators launched a special website, on which they publish victims’ data. They place there stolen files users did not pay for.
Thus, the attackers use an additional incentive to pay. Recall that the first ransomware, which adopted the theft of files prior their encryption, was the Maze malware.A new extortion method started by the Maze Ransomware is to steal files before encrypting them and then use them as leverage to get victims to pay the ransom. If a ransom is not paid, then the ransomware operators release the stolen files on a public ‘news’ site to expose the victim to government fines, lawsuits, and the risk of the attack being classified as a data breach”, — write BleepingComputer specialists.
This tactic allows blackmailing victims, especially those who have fresh backups of encrypted files at their disposal. By publishing confidential user data, ransomware operators expose them to risks, since various kinds of scammers will immediately begin to “process” the new victims, as they have all the necessary information for it.
Currently, the cyber threat landscape includes three ransomware programs that can publish user data: Sodinokibi, Nemty, and DoppelPaymer. The latest malware is targeted at corporate network attacks.
Reference:
DoppelPaymer is a ransomware designed for businesses; it undermines the corporate network, ultimately gains access to administrator credentials, and then deploys ransomware on the network to encrypt all devices. Since these attacks encrypt hundreds, if not thousands of devices, they tend to have a huge impact on operators, and attackers require a very large ransom.
First, the attackers try to obtain administrator credentials, and then deploy the malware, which will encrypt all devices on the network.
Since we are talking about a large number of encrypted devices, DoppelPaymer operators require considerable sum of money to restore files.
For further motivate victims, criminals threaten to publish the names and details of hacked employees.
For these purposes, the attackers created a special website on which can be posted all the stolen information. Currently, data on four companies that, according to extortionists, did not pay the ransom, is published on this resource.