A DoppelPaymer ransomware variant hit the Torrance city in the Los Angeles metropolitan area, California, and had its systems locked down. Moreover, data was stolen and is now being gradually leaked by the malicious actors as they try to apply pressure on the city council to pay the ransom. The amount demanded by the attackers is 100 bitcoin, which is approximately $696,800. If paid, the actors promise to provide a working decryptor, delete the files from the locations where they have been published, and not to release any more.
Torrance has a population of 145k people, whose data are now in the wrong hands. From what can be seen in the files that published so far, the actors have documents that citizens uploaded on the city’s online portal (City Manager), accounting files, budget financial details, and other sensitive archives that weren’t meant to become public. In total, the city’s IT team estimates the size of the stolen data to be about 200GB, deriving from 150 servers and 500 workstations. The same city suffered a cyber-attack again in March, but they guaranteed that no citizen data was involved at that time.
Right now is the worst time to have your personal data compromised and exposed, and also a pretty unfit moment for municipalities to have their systems down. We’re in the middle of the pandemic, so people expect their government and local authorities to support them during times of hardship. In another recent case, nearly 8,000 applicants of the SBA (Small Business Administration) emergency loan (EIDL) have had their PII, SSNs, phone numbers, insurance status, citizenship status, email addresses, birth dates, and full names stolen by hackers.
Emsisoft, however, comes to deliver some good news in this situation, presenting recent ransomware infection rates data that indicates a historical low. As they point out, the number of ransomware infections during the first quarter of 2020 have dropped to a level that we have not seen in several years now. As for the second quarter, the downward trend seems to continue along the same line. This is due to the new challenges that ransomware actors are facing right now, as well as the severely reduced attack surface that resulted from shutting down non-essential services during the COVID-19 pandemic.