Ransomware Gangs now Cold Call and Harass Victims

The recent SolarWinds supply chain attack has dominated InfoSec headlines. The sheer scale of the attack warrants the coverage with even major media outlets dedicating time and space to cover the story. While the publics' attention is diverted elsewhere, hackers don’t seem to take too many breaks. Even before the SolarWinds incident, several ransomware gangs were morphing tactics once more. Now gangs like DoppelPaymer, Conti, Ryuk are cold calling victims who managed to restore systems from backups. This is done to harass and place extra pressure on victims to pay the ransom.   

According to an article published by ZDNet dating back to December 5, 2020, security researchers saw this trend emerging as far back as August of this year. The cold calling of victims is believed to be done by an outsourced call center, possibly working for the gangs mentioned above and believed to work for the now-defunct Maze and Sekhmet ransomware gangs.

The above-mentioned publication even received a recorded call made by the possible call center, with the call being made by someone speaking English but heavily accented, suggesting the call is made by a non-native English speaker.

ransomware gangs cold call their victims

Some of the call’s transcript was reproduced which read,

“We are aware of a 3rd party IT company working on your network. We continue to monitor and know that you are installing SentinelOne antivirus on all your computers. But you should know that it will not help. If you want to stop wasting your time and recover your data this week, we recommend that you discuss this situation with us in the chat or the problems with your network will never end.”

The development can be seen as yet another evolution in tactics geared towards forcing victims to pay ransoms. Ransomware gangs have already adopted the tactic of stealing data and releasing it to dedicated “leak sites” to increase pressure on victims, the tactic has been dubbed double extortion by the InfoSec community and began in earnest towards the end of 2019. The calling of victims is not necessarily a new development; however, the use of an outsourced call center may prove to be the refining of an older tactic.

In 2017, Action Fraud warned that hackers were phoning schools allegedly from the Department of Education (The department that handles all matters relating to education in the UK is the Department for Education), asking for personal details, personal email addresses or contact numbers, of the headteacher as the needed to pass sensitive information to the schools head. Emails would then be sent containing ransomware in a .zip file. If one gets pedantic, the calls seem to be made in an attempt to spread the malware rather than attempting to place more pressure on an organization that has already experienced an attack.

FBI warns of DoppelPaymer Harassing Victims

An alert published by the US Federal Bureau of Investigation (FBI) confirms the earlier ZDNet article. In the alert, the FBI states that it is aware of incidents where the DoppelPaymer ransomware gang has resorted to cold-calling companies to intimidate and coerce victims into paying ransom demands. Further, based on statements made in the alert the gang has been employing the tactic since February this year. This indicates that the tactic has been employed for far longer than the original belief of the tactic starting in August and September. The calls typically are done to either threaten the victim that they’ll release sensitive data or plain old intimidation tactics. In one incident threats were leveled at employees and their families. Officials noted,

“In one case an actor, using a spoofed US-based telephone number while claiming to be located in North Korea, threatened to leak or sell data from an identified business if the business did not pay the ransom. During subsequent telephone calls to the same business, the actor threatened to send an individual to the home of an employee and provided the employee's home address. The actor also called several of the employee's relatives.”

It is important to note that the threats of violence are empty but the threats to release data have been acted upon by the ransomware gang. To prevent or possibly mitigate an attack the FBI recommends that victims secure their networks to prevent intrusions in the first place, and in the case of an attack, recommended that victims notify authorities and try to avoid paying the ransom as this emboldens attackers to carry out new intrusions, enticed by the easy profits they're making. This is advice that has been given thousands of times over the years but is still sage advice.

The alert further elaborates on targets favored by the DoppelPaymer gang, particularly within the borders of the US. Organizations within these sectors should take special note of the alert. Along with stating that Healthcare, Emergency Services, and Educational Institutions are targeted specifically by the gang, the alert has provided examples of past incidents.

An Infamous Past

The first example given by the FBI regarding attacks on healthcare involved the tragic incident in Germany this year. A DoppelPaymer attack left a German hospital unable to communicate with paramedics who had attended an individual and needed to bring her to hospital as it was an emergency. Due to the breakdown in communications resulting from the ransomware attack the individual needed to be taken to a hospital further than the affected one. The individual later died, however, German prosecutors did not formally charge the gang as the individual was believed to be of ill health and death was likely despite being rerouted. German authorities did contact the gang via the channels provided, with the gang electing to release the decryption key once they learned that patients' lives had been endangered by the attack.

Another incident involving the healthcare sector was summarized by the FBI and occurred in 2019. A US medical center suffered a ransomware attack where DoppelPaymer infected thirteen of the facility's servers. The gang demanded 50 Bitcoin to decrypt important files, which was roughly 600,000 USD at the time. It took the medical center several weeks to recover data from backups. Given the current epidemic which is now in a second wave across the globe, attacking hospitals already strained should be avoided for numerous moral reasons, let alone public health reasons. Security researchers and officials have asked ransomware gangs to avoid targeting the healthcare sector. Some have agreed while others have ignored the request.

Emergency services have likewise been targeted by the DoppelPaymer gang. In September 2020, a DoppelPaymer attack on an emergency center resulted in officials being unable to access the computer-aided dispatch system. Further, the attacker reset passwords and removed domain administrator accounts making recovery a much harder prospect without paying the ransomware. In the summer of 2020, again members of the DoppelPaymer gang attacked emergency services. Officials summarized the attack stating,

“In summer2020, a DoppelPaymer attack disrupted police and emergency services as well as other government functions for an identified US city, forcing them to revert to manual operations to continue essential services to the community. The ransomware was introduced via an Internet Explorer/Edge browser after an employee viewed a cryptocurrency website. The city’s system was infected by a Dridex malicious advertisement campaign through the browser’s temporary internet files. The ransomware was successful in encrypting files stored on the following platforms: Windows 7, Windows 10, Server 2008, Server 2012, and Server 2016”

The gang has targeted several educational institutions, often resulting in missed classes and severely hampered services being offered for several weeks after the attack. The new tactic of cold calling victims to either intimidate or threaten to release sensitive data previously stolen is yet another evolutionary step regarding ransomware’s stranglehold on the threat they pose to organizations of all kinds, be they government departments tasked with protecting and serving their community to the largest multi-national corporations.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal