Florence, Alabama Hit by DoppelPaymer Ransomware Attack After Early Warning
In late May, cybersecurity journalist Brian Krebs alerted officials in Florence, Alabama, that their IT systems had been infiltrated by ransomware operators. Despite initial efforts to contain the threat, the attackers struck on June 5, deploying DoppelPaymer ransomware and demanding $291,000 in Bitcoin down from an initial demand of $378,000 after negotiations.
The attack disrupted the city’s email system, though Mayor Steve Holt initially downplayed the ransomware aspect. The breach originated on May 6, when hackers compromised the credentials of Florence’s IT manager, Steve Price, via a DHL-themed phishing attack. KrebsOnSecurity, tipped off by Hold Security, warned city officials on May 26, prompting temporary containment measures. However, the attackers maintained access, launching the ransomware attack just days later.
DoppelPaymer, known for exfiltrating data before encryption, threatened to leak sensitive citizen information if the ransom wasn’t paid. Holt confirmed the city plans to pay, citing concerns over exposed personal and financial data. The attack coincided with breaches at four other victims within an hour, including an unnamed municipality.
Security experts, including Emsisoft’s Fabian Wosar, emphasized that partial remediation is insufficient full network rebuilds are often necessary to remove persistent threats. Hold Security’s Alex Holden noted that ransomware groups frequently lurk in networks for weeks or months before striking, underscoring the need for thorough investigations.
Florence, a city of 40,000 residents, is now grappling with the fallout, highlighting the challenges of responding to ransomware threats even after early detection.
City of Florence, Alabama cybersecurity rating report: https://www.rankiteo.com/company/city-of-florence-alabama
"id": "CIT1777451153",
"linkid": "city-of-florence-alabama",
"type": "Ransomware",
"date": "6/2020",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Citizens of Florence, Alabama',
'industry': 'Government',
'location': 'Florence, Alabama, USA',
'name': 'City of Florence, Alabama',
'size': '40,000 residents',
'type': 'Municipality'}],
'attack_vector': 'Phishing (DHL-themed)',
'data_breach': {'data_encryption': 'Yes (DoppelPaymer ransomware)',
'data_exfiltration': 'Yes (threatened leak)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personal and financial data'},
'date_detected': '2020-05-26',
'description': 'In late May, cybersecurity journalist Brian Krebs alerted '
'officials in Florence, Alabama, that their IT systems had '
'been infiltrated by ransomware operators. Despite initial '
'efforts to contain the threat, the attackers struck on June '
'5, deploying DoppelPaymer ransomware and demanding $291,000 '
'in Bitcoin. The attack disrupted the city’s email system and '
'originated from a DHL-themed phishing attack compromising the '
"IT manager's credentials.",
'impact': {'brand_reputation_impact': "Negative impact on city's reputation",
'data_compromised': 'Sensitive citizen personal and financial data',
'financial_loss': '$291,000 (ransom demanded)',
'identity_theft_risk': 'High (threatened data leak)',
'operational_impact': 'Disrupted city operations',
'payment_information_risk': 'High (threatened data leak)',
'systems_affected': 'Email system'},
'initial_access_broker': {'entry_point': 'Phishing (DHL-themed)',
'high_value_targets': 'IT manager (Steve Price)',
'reconnaissance_period': 'Weeks to months (prior to '
'May 6)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Partial remediation is insufficient; full network '
'rebuilds are often necessary to remove persistent '
'threats. Ransomware groups may lurk in networks for weeks '
'or months before striking.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Full network rebuild '
'recommended',
'root_causes': 'Compromised credentials via '
'phishing, insufficient '
'remediation'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': '$291,000 (Bitcoin)',
'ransom_paid': 'Planned (as per Mayor Steve Holt)',
'ransomware_strain': 'DoppelPaymer'},
'recommendations': 'Conduct thorough investigations, implement full network '
'rebuilds if compromised, and enhance phishing awareness '
'training.',
'references': [{'source': 'KrebsOnSecurity'},
{'source': 'Hold Security'},
{'source': 'Emsisoft (Fabian Wosar)'}],
'response': {'communication_strategy': 'Public statements by Mayor Steve Holt',
'containment_measures': 'Temporary containment measures (partial '
'remediation)',
'third_party_assistance': 'Hold Security, KrebsOnSecurity'},
'threat_actor': 'DoppelPaymer ransomware operators',
'title': 'Florence, Alabama Hit by DoppelPaymer Ransomware Attack',
'type': 'Ransomware'}