Foxconn suffers DoppelPaymer ransomware attack, gets £25m ransom demand

Smartphone manufacturing giant Foxconn has suffered a disruptive DoppelPaymer ransomware attack on its manufacturing plant in Mexico and is facing a ransom demand of over £25 million from ransomware operators.

The DoppelPaymer ransomware attack reportedly took place during the Thanksgiving weekend and resulted in hackers exfiltrating a vast trove of corporate data from hundreds of company servers located at the Foxconn facility in Chihuahua, Mexico.

The affected manufacturing plant is Foxconn's sole facility in the region and supplies electronic equipment and devices in South and North America. However, the facility is set to lose its preeminence as Foxconn has committed to investing $10 billion to build a new manufacturing campus in southeastern Wisconsin that will create 13,000 new jobs and tens of thousands of indirect jobs.

Founded in 2005, the 682,000 square feet manufacturing facility in Ciudad Juarez, Mexico employs up to 5,000 people and as per reports, Foxconn is also planning to set up another factory in the city to move production away from China and to compete with manufacturing rival Pegatron which is also setting up bases in Mexico.

The recent ransomware attack on Foxconn's Ciudad Juarez facility was carried out by the DoppelPaymer ransomware gang that was recently in the news for targeting Newcastle University servers that affected access to study materials for on-campus and on-line induction and on-line teaching. The ransomware gang bragged about breaching Foxconn servers on Twitter this Monday.

Talking to Bleeping Computer, the ransomware gang said it only targeted servers located at the Foxconn facility in Mexico, and after infiltrating the company's IT systems, they "encrypted about 1,200 servers, stole 100 GB of unencrypted files, and deleted 20-30 TB Of backups."

According to Reuters, Foxconn confirmed the ransomware attack in a statement to the Taiwan stock exchange, stating that the attack had limited impact on its operations and that internet connection in the facility had gradually returned to normal. The company also shared a statement with Bleeping Computer which is as follows:

"We can confirm that an information system in the US that supports some of our operations in the Americas was the focus of a cybersecurity attack on November 29. We are working with technical experts and law enforcement agencies to carry out an investigation to determine the full impact of this illegal action and to identify those responsible and bring them to justice. The system that was affected by this incident is being thoroughly inspected and being brought back into service in phases"

The news site also accessed a ransom note that was sent to Foxconn by the DoppelPaymer group. In the note, the hackers directed the company to contact them via a link on Tor and to pay a ransom of 1804.0955 BTC, which translates to over £25.6 million, in order to regain access to the stolen files. Foxconn is yet to acknowledge the ransom note publicly.

Commenting on the ransomware attack, Andrea Carcano, co-founder of Nozomi Networks, said that successful attacks such as DoppelPaymer demonstrate that extorting large organisations can be much more profitable than attacking unsuspecting individuals.

"Targeted ransomware like DoppelPaymer, BitPaymer, SamSam, Ryuk, and others attack large businesses because this tactic can be much more profitable than attacking unsuspecting individuals. Disruption to a company’s operations can be costly, which is something that threat actors leverage in their attempts to force victims to pay the requested ransom.

"These kinds of ransomware scenarios should be factored into an organization’s incident response plans. Beyond a technical response, decision-makers need to be prepared to weigh the risks and consequences of alternative actions.

"Ransomware threat actors typically rely on spear-phishing links or vulnerable public services to gain initial entry into a network. Afterward, they move laterally to gain access to as many nodes of the network as possible, allowing them to increase the magnitude of the disruption.

"To protect OT and IoT environments from ransomware, cybersecurity best practices such as strong segmentation, user training, proactive cyber hygiene programs, multi-factor authentication, and the use of continuously updated threat intelligence, should be considered," he added.

ALSO READ: DoppelPaymer ransomware attack cripples NASA contractor’s network

Copyright Lyonsdown Limited 2020