Ransomware Cybergangs Are Now Calling Their Victims

After successfully infecting companies’ IT networks with ransomware, some cybergangs are now calling those businesses to intimidate them into paying the ransom. Find out more about this troubling development.

It is a tactic that is meant to intimidate — and often does. After successfully infecting companies’ IT networks with ransomware, cybergangs are calling the businesses to intimidate them into paying the ransom.

The DoppelPaymer ransomware cybergang was one of the first groups to use this tactic. If that name sounds familiar, there’s good reason. In late November 2020, this cybergang used the DoppelPaymer ransomware to encrypt around 1,200 servers in Foxconn’s North America facility in Ciudad Juárez, Mexico, and demanded a ransom of 1804 bitcoins (equivalent to $52.5 million USD at the time of this writing). Before unleashing the ransomware, the cybergang stole 100 gigabytes of the electronics company’s data and deleted as much as 30 terabytes of backup data.

While it is unknown at this time if the DoppelPaymer cybergang called the Foxconn facility after the servers were infected, the group had done so after attacking other businesses. “In multiple instances, DoppelPaymer actors had followed ransomware infections with calls to the victims to extort payments through intimidation or threatening to release exfiltrated data,” said the US Federal Bureau of Investigation (FBI) in an alert issued in December 2020.

The DoppelPaymer cybergang went much further in at least one instance, according to the FBI. It was business as usual in the initial call. The cybergang threatened to leak or sell the data it stole if the company did not pay the ransom. But when the company did not give in to the cybergang’s demands, the cybercriminals upped the ante. In subsequent calls, they threatened to send a gang member to the home of a certain employee and provided the employee’s home address as proof they knew where that person lived. The cybergang even called several of the employee’s relatives.

Other Cybergangs Are Calling Victims, Too

The DoppelPaymer cybergang is not the only group calling victims. Other cybergangs using this troubling tactic include those behind the Conti and Ryuk ransomware strains. In one case, the victimized business — a dental practice in Georgia — was not even aware it had been attacked until it received a call from the Conti cybergang. The dentists had noticed some irregularities with their computer system, so they had their server wiped clean and their data reinstalled from a backup. Because the practice’s files had not been encrypted and the dentists did not experience a significant service disruption, the cybergang’s call came as a complete surprise. But the cybergang did indeed attack the practice. The cybergang stole some files before trying to encrypt them, 20 of which were uploaded to its leak site — the site where the group posts the names of “uncooperative” victims and samples of those companies’ data to coerce them into paying the ransom.

What to Do

What should you do if your business falls victim to a ransomware attack and you receive a threatening call? First of all, don’t panic, especially if the caller threatens to come to your home. Security experts believe that most of these calls are coming from an overseas call center that has formed to handle victim negotiations for various ransomware cybergangs.

The FBI recommends that you contact your local FBI field office if your company becomes a ransomware victim, even if you do not get a follow-up call. It also recommends that you do not pay the ransom. However, the FBI notes that it “understands that, when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers”.

A Good Offense Is the Best Defense

When it comes to ransomware, a good offense is the best defense. To thwart attempts, your business should consider taking measures such as:

  • Follow the principle of least privilege for file, directory, and network share permissions.
  • Disable remote access to the computers in your network if it is not needed (e.g., disable Remote Desktop Protocol, or RDP) and secure it on those machines that need it.
  • Monitor network traffic, systems, and resources for suspicious activities (e.g., unusual data transfers).
  • Audit user, administrator, and service accounts, especially remote monitoring and management accounts that are publicly accessible.
  • Have employees use two-step verification (e.g., two-factor authentication) when logging in to business accounts.
  • Educate employees about ransomware, including dangerous practices that can lead to an infection (e.g., clicking links or opening attachments in unsolicited emails).
  • Regularly update the software and firmware installed on your company’s computers so that known security vulnerabilities are patched.
  • Ensure restorable backups are being taken and stored in a location that is not connected to the network.

We can help you create and implement a strategy that will help protect your company against ransomware and other types of malware.


WAMS, Inc.

The experts at WAMS, Inc. all have a background in the legal industry and understand the software and the demands that come along with it. That’s why all our clients receive a dedicated account manager and engineer with specific planning that works for your business needs. We didn’t break into the tech world to pinch pennies from clients. We go into every partnership to help their business scale gracefully. Your company growth is our company growth, always.