Foxconn Ransomware Attack Reportedly Damages Servers, Backups

The ransomware attack was carried out by DoppelPaymer, who’s demanding $34.7 million in Bitcoin and leaked generic Foxconn business documents and reports Monday, according to BleepingComputer.

A ransomware attack against Taiwanese electronics manufacturer Foxconn resulted in stolen files, encrypted files and deleted servers at the company’s Mexican facility, according to BleepingComputer.

Foxconn suffered a ransomware attack Nov. 29 at its North American facility located in Ciudad Juarez, Mexico, BleepingComputer reported Monday. The attack was carried out by ransomware operator DoppelPaymer, who’s demanding $34.7 million in Bitcoin and leaked generic Foxconn business documents and reports on their ransomware data leak site Monday.

“Your files, backups and shadow copies are unavailable until you pay for a decryption tool,” DoppelPaymer wrote in a ransom note that appears on Foxconn’s servers. “If no contact [is] made in 3 business days after the infection, [the] first portion of data will be shared to [the] public … and all the rest will remain unreachable to you.”

[Related: The 11 Biggest Ransomware Attacks Of 2020 (So Far)]

Foxconn, which is the parent company of electronics manufacturer Sharp Corp. and connectivity device manufacturer Belkin, did not respond to a request for comment from CRN. The company has been in the headlines since July 2017 for its plans to build a $10 billion TV manufacturing plant in southeastern Wisconsin that it claimed would employ 13,000 people, though job creation has fallen well short of that.

DoppelPaymer told BleepingComputer that they encrypted about 1,200 servers, stole 100 gigabytes of unencrypted files, and deleted 20-30 terabytes of backups as part of their Nov. 29 attack. The encryption only affected Foxconn’s North American segment and wasn’t focused on workstations, DoppelPaymer told BleepingComputer.

Foxconn’s CTBG MX facility opened in 2005, and is used by Foxconn for the assembly and shipping of electronics equipment to all regions of North and South America. Since the ransomware attack, the facility’s web site has been down and currently shown an error to visitors.

DopperPaymer’s ransom note includes a link to Foxconn’s victim page on the ransomware operators Tor payment site. There, DoppelPaymer is demanding a ransom of more than 1,804 Bitcoin, according to BleepingComputer.

“This page and your decryption key will expire in 21 days after your systems were infected,” DoppelPaymer wrote on the Foxconn victim webpage. “Sharing this link or email will lead to the irreversible removal of the decryption key.”

DoppelPaymer notably commandeered a Windows 10 system in the IT environment of Florence, Ala. in May 2020, with hackers gaining a foothold in the city’s network by using the username for the city’s manager of information systems, KrebsOnSecurity reported at the time. Then in June 2020, a DoppelPaymer cyberattack shut down the city’s email system, Florence Mayor Steve Holt said.

The ransomware gang appeared to have simultaneously compromised networks belonging to four other victims within an hour of Florence, including another municipality, KrebsOnSecurity reported at the time. DoppelPaymer initially demanded $378,000 in Bitcoin, but an outside security firm hired by the city was able to negotiate the price down to $291,000 in Bitcoin, according to KrebsOnSecurity.