Throwback Attack: Visser Precision suffers a DoppelPaymer ransomware attack

Image courtesy: Brett Sayles
Image courtesy: Brett Sayles

While Visser Precision is widely known for their work in cybersecurity defense, in 2020, they faced a menacing cyberattack of their own. The well-known space and defense manufacturer was hit by DoppelPaymer ransomware, a type of malware that encrypts and exfiltrates data. The Denver-based manufacturer, which creates custom parts for major industries from racetracks to outer space, was privy to a substantial amount of sensitive information, making them an attractive target for threat actors.

When Visser was attacked, researchers discovered that important company documents, including nondisclosure agreements with technology giants Tesla, SpaceX and General Dynamics, had been published on the hacking group’s website. This was a way to both publicize the list of files stolen and to pressure Visser into payment. In addition to the nondisclosure agreements, the theft also included a Lockheed Martin schematic for a missile antenna.

DoppelPaymer ransomware first appeared around April 2019 and originated in Russia. It has been used since then to carry out a number of high-profile attacks. Among others, Mexican petroleum giant Pemex, Los Angeles County, Kia Motors and the Illinois Office of the Attorney General (OAG) have all been victims of attacks by the group.

How DoppelPaymer works

DoppelPaymer, similar to BitPaymer and Maze, is a type of malware designed to lock victims out of their own files through encryption. It can encrypt files found in the network on fixed and removable drives, and all of the encrypted files will end with a “.locked” extension on the file name. It will then change user passwords and restart the system so the user no longer has access. Next, it uploads a ransom note to the screen before the user can log in.

The ransom note is always the same and includes instructions on how to move forward. The user is warned not to shut down the system, rename or delete the encrypted files, or try to salvage the files with other software; otherwise, their data could be lost permanently. The only solution provided is to pay the attacker for decryption instructions.

To get to the next step, the user must install the Tor browser and open a link that is set up in the ransom message. The link will take the victim to a Tor website where they can online chat with the attacker. Victims have seven days to use the link, but the longer it takes to contact the attacker, the higher the ransom amount goes up.

To pay or not to pay

Once a victim pays, there is no guarantee the attacker will be able to decrypt every file or won’t just publish the stolen information anyway. While threat actors may have the tools to decrypt the stolen files, many victims end up being scammed and losing their data anyway. And being attacked once does not protect the same company from being attacked again in the future, especially now that the attacker knows the vulnerabilities and is familiar with the systems.

Whether companies pay the ransom or not, partner companies like Tesla and SpaceX aren’t protected because the hackers could still release their stolen private documents. According to Forbes journalist Davey Winder: “It puts pressure not only on the target organization but also those customers whose data is being published or sold. That seems to be what is happening here.” In the case of Visser, partner documents were leaked to the public.

A Lockheed Martin spokesperson told Forbes: “We are aware of the situation with Visser Precision and are following our standard response process for potential cyber incidents related to our supply chain. Lockheed Martin has made and continues to make significant investments in cybersecurity, and uses industry-leading information security practices to protect sensitive information.”

Paying the ransom also leads to legal complications because of a move made by the U.S. Treasury Department (USDT) in late 2019. “As a result of today’s designations, all property and interests in property of these persons subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.” The move was to add Evil Corp. to a list of foreign-sanctioned entities, which means that companies are not to have any transactions with the attackers unless approved by the USDT.

DoppelPaymer relevance today

DoppelPaymer ransomware first appeared in 2019 and is still around wreaking havoc on public and private companies. For instance, there was a hack on the Illinois Office of the Attorney General (OAG) in early April 2021.

The OAG stated: “In the early hours of Saturday morning, it was discovered that the office’s network was compromised. Since then, information technology staff and investigators from the Attorney General’s office have been working closely with federal law enforcement authorities to evaluate the extent to which the network was compromised.”

According to the Record, the leaked files included both public and private documents such as personally identifiable information about state prisoners, as well as their grievances and cases.

The takeaway

At the time of the attack, Visser said, “The company continues its comprehensive investigation of the attack, and business is operating normally. Visser Precision will continue full cooperation with its customer partner companies, but will make no further press comment at this time.”

Visser kept operating like normal, but this malware can get to anyone if the proper precautions are not taken. It is not clear if the company paid the ransom or not; however, DoppelPaymer persists and is still a major threat to both public and private industry.




Keep your finger on the pulse of top industry news