Bretagne Télécom Fell Victim of DoppelPaymer Ransomware Attack

Bretagne Télécom Fell Victim of DoppelPaymer Ransomware Attack

Bretagne Télécom Victim of DoppelPaymer Ransomware Attack

Bretagne Télécom fall victim of DoppelPaymer Ransomware Attack. The French cloud services provider has been compromised by the threat actors behind the DoppelPaymer Ransomware using an exploit that targeted unpatched servers using the vulnerability of CVE-2019-19781.

Victim of DoppelPaymer Ransomware Attack, Bretagne Télécom is a private held French cloud hosting and telecommunications company providing internet and networking, telephony, hosting and cloud computing services to approximately 3,000 customers. They are also operating around 10,000 managed servers.

In Bretagne’s case, it is a story with a happy outcome seeing that the ransomware attack did not lead to any lost data or a paid ransom since the company was able to restore all the encrypted systems from readily available backups on Pure Storage FlashBlade arrays. This is not usually the case these days as most ransomware victims do not have well tested and maintained backups which is extremely important to recovering from these attacks. Kudo’s to them for practicing proper backup & disaster recovery practices.

As Nicolas Boittin, CEO of Bretagne Télécom, says, the servers were vulnerable to attacks because no patches were available yet from Citrix for the vulnerability of CVE-2019-19781 when threat actors managed to drop the DoppelPaymer Ransomware payload on the compromised servers. Citrix is the ones to blame here, as they were the ones who made them vulnerable.

Since gaining access to one of the server farms in Bretagne Télécom’s environment, DoppelPaymer’s operators have been able to encrypt 148 machines running application servers on Windows 7, Windows 8, and Windows 10 and containing data belonging to “around thirty small business customers” as Nicolas Boittin, CEO of Bretagne Télécom, informed LeMagIT.

The attack happened in the middle of the night, leaving every bit of information on the hacked systems “completely encrypted” according to Boittin.

As the company later found out, the operators behind DoppelPaymer Ransomware were asking for a ransom of 35 bitcoins (~$330K) for their ‘decryption services’.

Bretagne Télécom's info on the DoppelPaymer leak site
Bretagne Télécom’s info on the DoppelPaymer leak site – Source BleepingComputer

The recovery process began by restarting all encrypted servers one by one without a network connection, Boittin said.

“We found the time when the attackers installed the scheduled encryption tasks. Once these tasks and the malware were removed, we were able to return to operational conditions.”

While the restoration process took about six hours for some customers who had less stored on their servers, there were cases where Bretagne Télécom had to work on a row for as much as three days to restore some of the impacted systems for their customers.

Data was stolen using DoppelPaymer Ransomware Attack

While the CEO of Bretagne Télécom says the company was not taken hostage, the DoppelPaymer actors uploaded some sample data over the weekend to their leak site, as shown in the screenshot above.

They also published sample stolen data from a US merchant account firm that was asked to pay a 15 bitcoins (~$150K) ransom, a South African logistics & supply chain company that was sent a 50 bitcoins (~$500K) ransom, and Mexico’s state-owned oil company Pemex that got hit with a 568 bitcoins ($4.9 million at the time) on November 10th, 2019 – Source Bleeping Computer

This once again goes to show that ransomware attacks should be treated as data breaches as we’ve been saying for a while now given that starting with Maze Ransomware in November 2019, Sodinokibi, Nemty, and BitPyLock have all shared their plans to adopt the same tactic.

Companies that have their systems encrypted by ransomware aren’t yet treating such incidents as data breaches although sensitive records now also get harvested and exfiltrated before the actual encryption takes place.

This will most likely no longer be the case soon enough, as lawmakers will most likely take notice and push out legislation requiring data breach notifications following ransomware attacks.

Check out our Ransomware Protection page to see how we can help your business stay protected and make sure you do not fall Victim of DoppelPaymer Ransomware Attack

Also Check out our Backup & Disaster Recovery page to see how we can help protect your data both locally and in the cloud!

Posted on