A group using the DoppelPaymer ransomware is claiming responsibility for an attack on Torrance, Calif. Torrance is a large city within Los Angeles County, and in March government officials alerted residents and authorities about a ransomware attack. The attack, as their press release stated, was able to disable functions relating to their server network. The press release itself did not mention ransomware, instead calling it a “digital compromise.” As time has gone on, however, the link between ransomware and a group called DoppelPaymer has been thought to exist. Recent developments have proven the link to be true. The attack is the latest in an increasing line of hacking incidents aimed at cities and other municipalities.
Around the month of February, according to a report from Bleeping Computer, the DoppelPaymer group set up a web page called “Dopple Leaks.” The page was set up as a public shaming platform and information repository to punish victims that did not pay the ransom. In the month of April, Dopple Leaks produced information likely stolen during the attack against the city of Torrance.
In a page titled “City of Torrance, CA,” the DoppelPaymer group lists roughly 200GB worth of data on Torrance (pictured below courtesy of Lawrence Abrams, author of the Bleeping Computer report). This data includes, in Abrams’ words, “city budget financials, various accounting documents, document scans, and an archive of documents belonging to the City Manager.”
It is safe to say that the City of Torrance, at the recommendation of law enforcement, did not pay the ransom. This is the standard operating procedure for ransomware attacks, as paying the criminals merely encourages their actions. There is always the risk, however, of something like this occurring as well. It can never be definitively proven just how much data threat actors are able to obtain before ransomware is purged.
Since the nature of this investigation has been kept mostly private, conjecture is the only thing we have at this point. The DoppelPaymer ransomware could be still on the City of Torrance’s network, or more likely, they gained major admin access once the infection began. The city has not stated how the DoppelPaymer group got the ransomware in their network, but a phishing attack is usually how these circumstances develop.
Featured image: Wikimedia/City of Torrance