Illinois Office of Attorney General Sees Leak of Stolen Data Following Ransomware Negotiations Failure
The threat actors behind ransomware gang, DoppelPaymer, have released a substantial amount of stolen files from the Illinois Office of the Attorney General on a server controlled by the group. This was apparently in response to the breakdown of negotiations between the two groups following an April 10 ransomware attack.
The leaked files include not only public information from court cases handled by the Illinois OAG, but also private documents that aren’t a part of the public record, according to security research firm Recorded Future, which detailed the leak in a post on its news portal The Record. The files contain personally identifiable information about state prisoners, their grievances and cases, according to the post.
The Illinois OAG acknowledged publicly on April 13 that its network had been compromised several days earlier, but did not go into detail about what type of attack it was or what type of information had been affected.
On April 21, DoppelPaymer took responsibility for the attack and released several files stolen from the Illinois OAG’s internal network as a teaser to another data dump this week after negotiations about paying the ransom stalled for unclear reasons, according to the post.
Historically, most negotiations between DopplePaymer and its victims fail after victims realize that paying the ransom brings legal complications. These are due to a move by the US Treasury Department in late 2019 to add Evil Corp, the cybercriminal group behind DoppelPaymer, to a list of foreign sanctioned entities, therefore making payments to this group strictly forbidden.
DoppelPaymer, based on BitPaymer ransomware, emerged in 2019 as a significant cybercriminal threat and has been used since then to carry out a number of high-profile attacks. DoppelPaymer’s attackers initially commenced their activity by locking and encrypting files on victims’ networks, but later evolved to using threats to leak stolen data after attacks as a bargaining chip in ransomware negotiations–as well as making good on those threats.