Foxconn hit by DoppelPaymer ransomware, reportedly faces US$34M demand in bitcoins

Foxconn was hit by a DoppelPaymer ransomware attack that infected the systems at the Mexican facility of the electronics manufacturing giant over the Thanksgiving weekend, when attackers stole unencrypted files before encrypting devices and deleting files, according to media reports.

“Your files, backups and shadow copies are unavailable until you pay for a decryption tool,” DoppelPaymer wrote in a ransom note that appears on Foxconn’s servers, as reproduced by CRN. “If no contact [is] made in 3 business days after the infection, [the] first portion of data will be shared to [the] public … and all the rest will remain unreachable to you.”

As the deadline set passed last week, it can be assumed that the Taiwanese electronics contract manufacturer reached out to the hackers. Foxconn did not comment to media on the ransomware attack.

The attackers have reportedly demanded a US$34 million ransom and shared the ransom note created on Foxconn servers during the ransomware attack, according to BleepingComputer. The note links to Foxconn’s victim page on DoppelPaymer’s Tor payment site where the threat actors are demanding a 1804.0955 BTC ransom, or approximately $34,686,000 at current bitcoin prices.

As part of the attack, the threat actors claim to have encrypted about 1,200 servers, stolen 100 GB of unencrypted files, and deleted 20 to 30 TB of backups. The DoppelPaymer ransomware gang published files belonging to Foxconn NA on their ransomware data leak site. The leaked data includes generic business documents and reports, but does not contain any financial information or employee’s personal details, BleepingComputer said.

“Disruption to a company’s operations can be costly, which is something that threat actors leverage in their attempts to force victims to pay the requested ransom,” wrote Andrea Carcano, co-founder of OT security company Nozomi Networks to IndustryWeek, in an email on Monday. “DoppelPaymer isn’t the first ransomware to exfiltrate data and threaten to leak it if the requested ransom isn’t paid. We’ve also seen this with Maze ransomware, where exfiltrated data was released after companies refused to pay. Ransomware can pose a further threat in relation to the General Data Protection Regulation (GDPR),” he added.

“This is the second major breach of an OEM fab in as many months,” according to a statement by Saryu Nayyar, CEO of cybersecurity company Gurucul, to IndustryWeek. “It shows the attackers are becoming more sophisticated, going after bigger game, and improving their business model. We can expect this to become their new standard model. Break in. Steal data to use for extortion. Deploy ransomware. Profit. It is a win-win for them, and a lose-lose for the victim even if they have backups in place to deal with a ransomware attack,” she added.

The attack was at Foxconn’s CTBG MX facility located in Ciudad Juárez, Mexico, which was opened in 2005. It is used for assembly and shipping of electronics equipment across South and North America. Since the recent attack, the facility’s website has been down and currently shows an error to visitors.

DoppelPaymer is an emerging type of ransomware that locks companies out of their own computer systems by encrypting files, apart from exfiltrating company data and using it as collateral. It was discovered by endpoint protection software company CrowdStrike in 2019, and has been used in several ransomware campaigns, including cyberattacks against Compal, the City of Edcouch, Texas and Chilean Ministry of Agriculture.

Last month, another electronics manufacturer Compal also suffered a ransomware attack, and the DoppelPaymer ransomware gang was believed to be responsible for the breach, according to a screenshot of the ransom note shared by Compal employees with Yahoo Taiwan reporters.

Qingxiong Lu, Compal’s deputy manager director admitted that the company suffered a security breach but denied that the company’s recent downtime was caused by ransomware. “[Compal] is not being blackmailed by hackers as it is rumored by the outside world,” the Compal executive told reporters, according to ZDNET.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.