Ransomware gang leaks court and prisoner files from Illinois Attorney General Office
Catalin Cimpanu April 29, 2021

Ransomware gang leaks court and prisoner files from Illinois Attorney General Office

Ransomware gang leaks court and prisoner files from Illinois Attorney General Office

The operators of the DopplePaymer ransomware have leaked a large collection of files from the Illinois Office of the Attorney General after negotiations have broken down and officials refused to pay a ransom demand, The Record has learned.

The leaked files include information from court cases orchestrated by the Illinois OAG, including some private documents that do not appear in public records.

The files were published on a dark web portal managed by the DopplePaymer ransomware gang and also include personally identifiable information about state prisoners, their grievances, and cases.

DopplePaymer-site-IL-OAG
Image: The Record
IL-OAG-files
Image: The Record

The ransomware attack took place on Saturday, April 10. Officials formally disclosed the incident three days later, on April 13.

The statement only mentioned that the office’s network was compromised, but the incident was confirmed to have been a ransomware attack on April 21, when the operators of the DopplePaymer ransomware took credit for the attack and released a handful of files they stole from the office’s internal network.

Additional files were posted this week after negotiations stalled.

It is unclear why negotiations between the two parties have failed in this particular case.

Sources who provide incident response services for ransomware attacks have told The Record that, historically, most DopplePaymer negotiations tend to fail and grind to a halt after victims realize that paying the ransom brings legal complications.

These complications stem from the fact that the US Treasury Department added the Evil Corp cybercrime group to its list of foreign sanctioned entities in December 2019, shortly after the Department of Justice charged two of the Evil Corp members.

Since several security firms have said the DopplePaymer ransomware was created by the EvilCorp group, any type of payment or financial transactions by US entities to this group is forbidden.

While the Treasury Department is open to approving some transactions if victims reach out and request approval, it appears the Illinois State Attorney Office has not done so.

A spokesperson for the Illinois Office of the Attorney General was not available for comment on Wednesday.

The leak comes after a rival ransomware gang called Babuk Locker threatened to leak files from the DC Police Department, files it claimed could expose the identities of police informants.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.