Cloud services provider Bretagne Télécom was hacked by the threat actors behind the DoppelPaymer Ransomware using an exploit that targeted servers unpatched against the CVE-2019-19781 vulnerability.
Bretagne Télécom is a privately held French cloud hosting and enterprise telecommunications company that provides telephony, Internet and networking, hosting, and cloud computing services to roughly 3,000 customers, operating around 10,000 managed servers.
In their case, it’s a story with a happy outcome (at least partially, as explained below) seeing that the ransomware attack didn’t lead to any lost data or a paid ransom since the company was able to restore all the encrypted systems from readily available backups on Pure Storage FlashBlade arrays.
Almost 30 TB of encrypted data
As Bretagne Télécom CEO Nicolas Boittin says, the servers were vulnerable to attacks because there were no patches available yet from Citrix for the CVE-2019-19781 vulnerability when the threat actors managed to drop the DoppelPaymer Ransomware payload on the compromised servers.
DoppelPaymer confirmed this information in an email sent to BleepingComputer, saying that the attack took place “Somewhere at the 1st half of January.”
Attackers have started scanning for vulnerable servers on January 8, with exploits becoming available two days later. Citrix started releasing permanent fixes for all vulnerable Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances on January 19, with the final patch being published on January 24.
After infiltrating one of Bretagne Télécom’s server farms, DoppelPaymer’s operators were able to encrypt infiltrate 148 machines running application servers on Windows 7, Windows 8, and Windows 10, and containing data belonging to “around thirty small business customers”, as Bretagne Télécom CEO Nicolas Boittin told LeMagIT.
The attack happened in the middle of the night, leaving every bit of information on the hacked systems “completely encrypted” according to Boittin.
As the company later found out, the operators behind DoppelPaymer Ransomware were asking for a ransom of 35 bitcoins (~$330K) for their ‘decryption services’.
Fortunately, unlike many other victims that had their data encrypted by DoppelPaymer before them, Bretagne Télécom was able to restore customers’ data quite fast using the Pure Storage FlashBlade arrays’ Rapid Restore feature and the five days worth of backup snapshots they provided.
The recovery process began by restarting all encrypted servers one by one without a network connection, Boittin said.
“We found the time when the attackers installed the scheduled encryption tasks. Once these tasks and the malware were removed, we were able to return to operational conditions.”
While for some customers who had less stored on their servers the restoration process took around six hours, there were cases were Bretagne Télécom had to work for as much as three days on a row to restore some of their customers’ impacted systems.
“It is not the first time that this has happened to customers. But most of the time, they are self-managing, so we didn’t interfere,” Boittin added.
“Ransomware from our customers, there may not be one per month, but not far. And we never paid. I refuse to fuel a parallel economy where we would give pirates the means to improve their systems to attack us again.”
Some data was stolen during the attack
While Bretagne Télécom’s CEO says that the company wasn’t taken hostage, the DoppelPaymer actors did upload some sample data to their leak site over the weekend as shown in the screenshot above.
They also published sample stolen data from a US merchant account firm that was asked to pay a 15 bitcoins (~$150K) ransom, a South African logistics & supply chain company that was sent a 50 bitcoins (~$500K) ransom, and Mexico’s state-owned oil company Pemex that got hit with a 568 bitcoins ($4.9 million at the time) on November 10th, 2019.
Although in the case of Pemex the hackers stole a large number of files before encrypting the company’s servers, DoppelPaymer told BleepingComputer that they barely stole a small number of files because there was “nothing interesting” to be stolen and it was not their goal.
DoppelPaymer has been encrypting victims’ data since at least mid-June 2019, it comes with a continuously upgraded feature set and it got its name from BitPaymer, with which it’s sharing large portions of code. Its operators, however, have added modifications such as a threaded encryption process for quicker operation.
This once again goes to show that ransomware attacks should be treated as data breaches as we’ve been saying for a while now given that starting with Maze Ransomware in November 2019, Sodinokibi, Nemty, and BitPyLock have all shared their plans to adopt the same tactic (1, 2, 3).
Companies that have their systems encrypted by ransomware aren’t yet treating such incidents as data breaches although sensitive records now also get harvested and exfiltrated before the actual encryption takes place.
This will most likely no longer be the case soon enough, as lawmakers will most likely take notice and push out legislation requiring data breach notifications following ransomware attacks.