Newcastle University, the UK research university, said the team behind DoppelPaymer ransomware had broken into its network, resulting in systems to be disconnected on the morning of 30 August. The university added that it would take several weeks for IT to return. services of after the hack. The attack is being investigated by the British police and the National Crime Agency, in collaboration with the IT Service of Newcastle University.
More specifically, the university announced that on Sunday, August 30, 2020, it discovered that a serious hack took place in it, which disrupted the operation of its networks and IT systems. Thus, all university systems, with the exception of those mentioned in communications (Office365 - including the e-mail and Teams, Canvas and Zoom) are either not available or are available with restrictions. Newcastle University has not yet decided whether to reset account passwords, but says it can do so based on in-house support teams and expert advisor recommendations.
The investigation into the hack is still at an early stage. IT teams continue to work hard to restore the systems and to work with the police and the National Crime Agency during their investigations. However, it is not possible to disclose further details about the incident until this initial investigation is completed. The ICO and the Office for Students were notified within 72 hours of the hack being detected, according to a university spokesman.
According to the university, at the moment, many of its IT services are offline and will remain down, while those that are operating could be removed without warning, during recovery efforts.
Newcastle University also added the following:
- University members may miss it access in their IT accounts without notice and may not be reactivated quickly.
- The university may need access to any IT system maintained or used by its members.
- Computers may need to be removed, servers or other devices, if they are found to be affected, in order to carry out detailed investigations.
During ongoing surveys, students and staff will only have access to limited IT services, including Office365 (email, applications Office and Teams comm channels), basic SAP and Zoom services. The university also advised students and staff to copy key files from the university's shared disk to their accounts at OneDrive.
After Newcastle University reported that he suffered hacking attack, DoppelPaymer ransomware operators claimed responsibility for the incident. They also reported stolen data value of 750Kb as proof on the data leak site Dopple Leaks, a tactic adopted by Maze Ransomware, since February 2020.
DoppelPaymer is a ransomware feature known to attack companies from at least mid-June 2019, gaining access to admin credentials and using them to compromise the entire network to deploy ransomware payloads on all devices. It is also known that they ask for large amounts of ransom, since the attacks they encrypt hundreds or even thousands of systems on their victims' networks.
In November 2019, the Mexican state oil company PEMEX (Petróleos Mexicanos) was attacked by the DoppelPaymer ransomware, with the gang demanding $ 4,9 million worth of bitcoin as ransom for decrypting files. DoppelPaymer got its name from BitPaymer, with which it shares large chunks of code, but its operators have added many upgrades to malware for faster operation.