As the pandemic continues around the world, malware authors have hijacked its importance and use it to their advantage. Covid-19 and its various references have been showing up more frequently in phishing lures, masquerading as phony apps, and in many other malware variations. Now there is a resurgence of the ransomware called DoppelPaymer (DP) that is using virus-themed email subject lines to attract victims. This one is significant in the number of different distribution methods that have been used in the three years since its progenitor, BitPaymer, was first discovered.
Covid-19 related scams have certainly proliferated, and we have written about them before:
Where does DP fit into this scheme? Let’s take a closer look.
One of the reasons why malware and phishing scams are so successful is that they follow the most newsworthy stories. While Covid-19 continues to be in the news, it isn’t the only subject. Given all the interest in NASA US-launched manned space missions resuming, it isn’t surprising that criminals have taken advantage with ransomware that has a NASA focus. Earlier this summer, the DP-based ransomware targeted a NASA contractor. The attack was successful at stealing a variety of documents (which were then posted online), including human resource-related and project plans that leaked employee details. This phishing lure congratulated SpaceX’s successes and was targeted at NASA contractors and leaked data collected from more than 2,500 computers online.
What makes DP nastier than your average ransomware are several distinguishing features. First, its authors post its success stories online, which has a double intent of shaming the victims and making it easier for the press to validate the breach. The group has its own Twitter account, for example.
You can see links to various breaches in these locations, including a March attack on the government network of Torrance, California, which was hit with a ransomware attack. More than 200 GB of data was stolen, and the city’s backups were erased and then encrypted, spanning 150 servers and 500 endpoints. Earlier attacks include one in January on a US-based financial services company with a ransom amount equivalent to $150,000, a French cloud-based telecommunications company with a ransom equivalent to $330,000, and a November 2019 attack on Mexico's state-owned oil company, Pemex.
Second, DP has beefed up the ordinary ransomware game by diversifying its malware distribution methods. They do this by bringing in an affiliate model, paying the specialists of particular methods to distribute the malware. In addition to using phishing lures (as we mentioned earlier), they also go after insecure remote desktop configurations, like many other attackers. But they also use other methods to get victims to download their malware, including:
- Botnets
- Exploits
- Malicious advertisement
- Web injects
- Fake updates
- Infected installers
What can you do to protect yourself?
As with any other ransomware, make sure your backups can be restored and are kept separately from the endpoints that are the sources. Keep your endpoints updated with the latest patches and segment your network properly. Spend time regularly training your end users about what to watch out for with phishing lures. Finally, your email servers should have anti-malware protection to keep infections from spreading.