Manufacturing powerhouse confirmed North American operations impacted by November cyberattack.

Foxconn Technology Group confirmed Tuesday that a November cyberattack knocked some of its U.S. operations offline. The incident is reportedly a ransomware attack carried out by a cybergang attempting to extort $34 million from the global manufacturing powerhouse.

“We can confirm that an information system in the U.S. that supports some of our operations in the Americas was the focus of a cybersecurity attack on November 29,” Foxconn said in a statement on Tuesday.

“The system that was affected by this incident is being thoroughly inspected and being brought back into service in phases,” the company said in a press statement.

According to a BleepingComputer report, the attack is believed to have been carried out by the DoppelPaymer cybergang. Hit was Foxconn’s manufacturing facility located in Chihuahua, Mexico. Criminals reportedly encrypted 1,200 servers, downloaded 100GB of data and deleted between 20-to-30TB backups.

Confidential Foxconn business documents appear to have been released publicly by the attackers in an attempt to verify that the data systems have been breached. Foxconn did not confirm with Threatpost the legitimacy of documents made public and reported on by BleepingComputer.

The DopplePaymer criminal group, whose ransomware goes by the same name, made headlines last year in a string of attacks against a number of large organizations, noted Andrea Carcano, co-founder of Nozomi Networks, in a prepared statement.

Carcano also noted that it’s now common for ransomware criminals to encrypt, delete and steal data as part of their crime. The hope is to force victims to pay a ransom to prevent public exposure of data and avoid the crippling of business systems.

Foxconn’s Chihuahua, Mexico manufacturing facility is used to assemble and ship electronics to the Americas, according to Foxconn. As of this writing the Foxconn Mexico-facility website (https://fii-na[.]com.mx/) appears to be down.

Saryu Nayyar, CEO of Gurucul, emphasized in a prepared statement that the “new standard model” for these attacks are, “break in, steal data to use for extortion and deploy ransomware.”

“It is a win-win for them, and a lose-lose for the victim even if they have backups in place to deal with a ransomware attack,” he wrote.

Large targets don’t just add up to potential big paydays. According to Chloé Messdaghi, VP of strategy at Point3 Security, large corporations have become prime targets for cybergangs given their ability to pay massive ransomware demands.

“In Foxconn’s case, it may well have to actually pay the ransom, because hitting and halting production is an attacker’s dream,” she wrote. For a billion-dollar corporation like Foxconn, spending $34 million may be an acceptable price to maintain business continuity, Messdaghi wrote.

The U.S. Cyber Emergency Response Team has long cautioned ransomware victims not to pay. “Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information,” the advisory says. “In addition, decrypting files does not mean the malware infection itself has been removed,” it wrote in an past advisory.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.