Cyber Incident Victim: Delaware County
Date:
Nov 2020
Location:
United States of America
Summary
Delaware County, Pennsylvania suffered a ransomware attack attributed to the DoppelPaymer gang, leading to a $500,000 ransom payment reportedly covered by insurance. The incident disrupted portions of the county's network, prompting systems to be taken offline, though emergency services and election bureaus remained unaffected as they operated on separate infrastructure. Attackers accessed databases containing police reports, payroll, and purchasing information, demanding payment for decryption keys. The gang advised post-attack remediation measures including password changes and Windows domain configuration adjustments to defend against credential-harvesting tools like Mimikatz, commonly exploited in such intrusions. DoppelPaymer is known for exfiltrating unencrypted files during attacks, though data theft in this case remains unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Delaware County, Pennsylvania experienced a ransomware attack on or around November 28, 2020, leading to significant operational disruptions. The county discovered unauthorized access to portions of its computer network over the weekend and initiated an immediate investigation. By Monday, November 30, officials had taken affected systems offline as a containment measure. Forensic specialists were engaged to determine the scope of the compromise. The County publicly confirmed the incident but did not initially disclose the ransomware variant involved. Systems supporting police reports, payroll operations, purchasing functions, and unspecified databases were confirmed as compromised during the attack. The Bureau of Elections and Emergency Services Department remained operational as they operated on separate network infrastructure unaffected by the intrusion. Local media reports indicated threat actors demanded a $500,000 ransom payment in exchange for a decryption tool to restore access to encrypted systems.
The DoppelPaymer ransomware gang claimed responsibility for the attack, with sources confirming Delaware County ultimately paid the $500,000 ransom. Payment occurred after consultation with insurance providers covering such cyber incidents. DoppelPaymer operators advised county IT staff to change all system passwords and modify Windows domain configurations specifically to defend against Mimikatz credential harvesting tools, indicating attackers likely exploited domain administrator privileges during network traversal. The ransomware variant shared substantial code similarities with BitPaymer but featured threaded encryption processes for faster execution. While DoppelPaymer typically exfiltrates unencrypted files during attacks, confirmation of data theft in this incident remained undetermined. County restoration efforts focused on bringing critical systems back online following payment, though specific recovery timelines were not publicly disclosed. The attack disrupted non-emergency government operations but did not impact election systems or emergency response capabilities due to network segmentation.