After the operators of the DopplePaymer ransomware have not received a ransom from the Illinois Office of the Attorney General, they leaked a large collection of the firm’s private files.
The attack took place on April 10 and formally disclosed three days later, on April 13. The leaked documents are from court cases managed by the Illinois OAG that include personally identifiable information about state prisoners, their grievances, and some private documents that do not appear in public records.
DopplePaymer ransomware gang published the files on their dark web portal.
At the time of official disclosure, the firm only stated that the office’s network was compromised. Since then, the published screenshots of stolen files confirmed that the incident has been a ransomware attack that took place on April 12, when the DopplePaymer operators took credit for the attack.
Additional files were posted this week when negotiations did not lead to a ransom payment.
Most DopplePaymer negotiations tend to fail when victims find out about legal complications that paying the ransom brings.
In December 2019, the US Treasury Department added the Evil Corp cybercrime group to the sanctioned entities. Since DopplePaymer ransomware is largely attributed to the EvilCorp group, any type of financial transactions by US entities to this group is not allowed.
Victims need to apply for special approval from the Treasury Department in order to pay a ransom. The Illinois State Attorney Office has not applied for such approval.
“This investigation is ongoing, and I am committed to resolving this situation as soon as possible to ensure that the Attorney General’s office can continue to provide critical services to the people of Illinois,” Attorney General Kwame Raoul promised in a statement.
The investigation into the extent of this attack is ongoing.