TT-CSIRT has observed an uptick in local instances of the DoppelPaymer ransomware. According to Threatpost, DoppelPaymer is an emerging type of ransomware that not only locks companies out of their own computer systems by encrypting files—the hallmark of typical ransomware—but also can exfiltrate company data and use it as collateral. The threat actors have also threaten to publish or sell the victim’s sensitive data if they refuse to pay the ransom.
Technical Details can be found on the CROWDSTRIKE Blog: https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/
TT-CSIRT encourages the all entities to adopt a heighten state of awareness and be guided by the following recommendations:
- Keep systems and applications updated, including anti-virus platforms
- Perform regular online and offline secure backing up of files
- Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history
- Beware of phishing emails, spams, and clicking malicious attachment. Securing email gateways and conduct awareness exercises with employees
- Implementing network segmentation and data categorization to minimize further exposure of mission-critical and sensitive data
- Securing system administrations tools that attackers could abuse
- Disabling third-party or outdated components that could be used as entry points
- Disable the loading of macros in your Office programs
- Disable your Remote Desktop feature whenever possible
- Use two factor authentication
- Block web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)
Read Microsoft’s full blog post on ransomware: https://www.microsoft.com/security/blog/2016/05/18/the-5ws-and-1h-of-ransomware/
Should your institution fall victim to a ransomware attack or any other type of cyber-attack, please contact TT-CSIRT immediately.