A new online post by the DoppelPaymer gang further suggests that a cyberattack experienced by Torrance, California in late February-early March was a case of ransomware — one that appears to have affected personal data, despite the Los Angeles-area city’s claims otherwise.
Brett Callow, threat analyst at Emsisoft, shared several examples of sensitive data published on DoppelPaymer’s doxxing site, where the threat actors post documents stolen from victims as part of an extortion scheme. Examples included a probation violation form from the Torrance City Attorney’s Office; a declaration in support of access to juvenile records filed with the Superior Court of California, County of Los Angeles; and a budget import audit listing.
BleepingComputer has reported that the attackers demanded a 100 ransom — which falls a bit short of $700,000 — after decrypting key files and exfiltrating breached data under the threat of publishing it.
In a March 1 press release set up on a temporary website, Torrance acknowledged the attack in generic terms, referring to an incident as a “digital compromise interrupting email accounts and server function,” resulting in the disruption of some city business services. Ransomware was not specifically cited as the cause.
In that statement, the city asserted that “Public personal data has not been impacted.” But if DoppelPaymer’s new post is, indeed, authentic, then this statement is wrong.
“I don’t know why governments make these hasty claims,” Callow told SC Media. “A more accurate statement would be, ‘We’ve been hit by a ransomware group which is known to steal data, but cannot yet say whether our data was stolen. We’ll only know that when either a) the criminals publish it or b) we complete our forensic investigation in a month’s time. Meantime, people should be on the lookout for spams, scams and fraudulent activity on their accounts.’”
However, Michael Smith, public information officer with Torrance, told SC Media that “Our initial press release still stands [on] its merits,” also noting that “there’s no update at this point.”
Smith said all systems were restored to normal functionality prior to the March COVID-19 lockdowns experienced by California and most other U.S. states. In that sense, the city was fortunate to have bounced back before encountering a major crisis that could very well have slowed down its recovery.
SC Media asked cyber companies what might happen if an attack similar to the one experienced by Torrance were to take place under current COVID-19 conditions.
“In the case of an attack like this, they have to: one, see where it is spread, and two, see where it came from. They have to work backwards from the breach down to the actual systems that are infected,” said Brook Chelmo. software and security product marketing strategist at SonicWall. “This will limit city service and possibly make it difficult for employees to work from home.”
In this hypothetical scenario, “the city may be focusing on keeping VPN connectivity and the network stable for their work-from-home users,” continued Chelmo. Noting that in real life many IT admins “are complaining that procrastination sites and other streaming services are impacting their ability to keep the network functional,” Chelmo further observed that “trying to keep the network functional while remediating this issue [would] be a difficult task. “