‘Visser Precision’, an expert in precision parts created with injection molding, metal additive manufacturing, and CNC machining, has confirmed that hackers managed to access their internal systems and steal their data. The Denver-based company is a contractor of Tesla, SpaceX, a NASCAR team, and various companies that are active in the Defense, Oil & Gas, Medical, and Agricultural industries. What this means is that hackers may have stolen highly valuable design secrets that would sell for millions in the dark web. For now, Visser told the press that they are still investigating the data breach incident and assured their clients that their production lines are operating normally.
According to the information that was published by TechCrunch, the ransomware that was used in this incident was “DoppelPaymer”. This malware is first stealing the data of the target company by exfiltrating it to the actor’s server and then encrypts everything on the local disks. Then the actor threatens to publish the stolen files while demanding the payment of a ransom. The problem with this new trend that we saw a few days ago happen to RailWorks is that the malicious actors are holding all the cards. They can leak the stolen data online little by little, imposing maximum extorting pressure over the victim organizations.
According to Brett Callow of Emsisoft, the hackers are already leaking SpaceX and Tesla documents, which include customer names on the dark web. In addition to these two firms, there is also information belonging to Boeing and Lockheed Martin. Reportedly, these documents are accompanied by non-disclosure agreements, so they contain weighty information and not just random stuff. The Emsisoft threat analyst says that the ransomware actors have made some of these documents available for download, so the affected firms are already impacted by this incident. Even more worryingly, the researchers say that the website that is hosting the stolen files has a lot more documents in the pipeline.
As security analysts point out, DoppelPaymer isn’t clarifying that the data has been stolen and only prompts the victims to the payment page. This means that a victim could be extorted multiple times and forced to pay the actors an endless amount of money. That said, it is preferable to wait and confirm that nothing has been exfiltrated before paying anything. This means that a ransomware attack should be treated as a data breach. Ideally, not paying the actors is the best way to go, although in some cases, firms cannot afford just to do that.