Newcastle University DoppelPaymer Ransomware Attack 2020: Data Published on Dark Web

The DoppelPaymer Attack: What Happened

Newcastle University disclosed the attack in late August 2020. IT systems were taken offline as the university responded to the ransomware. The timing was particularly damaging — the attack struck as the university was preparing for the start of the 2020 academic year during the COVID-19 pandemic, a period when digital systems were more critical than ever for managing a mixed in-person and remote learning environment. DoppelPaymer operates double extortion: encrypting systems while simultaneously exfiltrating data. If the ransom is not paid, the stolen data is published on the group's Tor-based leak site. Newcastle University did not pay the ransom — and DoppelPaymer subsequently published data stolen from the university on the dark web.

DoppelPaymer: The Threat Actor

DoppelPaymer emerged in 2019 as an offshoot of the BitPaymer ransomware family, linked to the Russian-speaking cybercriminal group Evil Corp. The group quickly became one of the most active and destructive ransomware operations of 2019-2021, targeting high-value organisations in education, healthcare, government, and critical infrastructure. In 2021, Europol and the FBI took coordinated action against DoppelPaymer infrastructure, identifying suspects and disrupting operations. However, by this point the group had conducted dozens of high-profile attacks — with Newcastle University among the most prominent UK victims. DoppelPaymer has since been linked to the emergence of Grief ransomware, which operated with similar tactics.

Data Published on the Dark Web

Newcastle University's refusal to pay the ransom — the correct decision — resulted in DoppelPaymer publishing stolen data on its dark web leak site. The published data included sensitive university information. Staff and student data being published on the dark web creates lasting risk: - Data may be used for identity theft, phishing, and credential stuffing attacks against affected individuals - Sensitive research data may be accessible to competitors or hostile state actors - The publication is permanent — data cannot be "unpublished" from dark web leak sites - Individuals whose data was published may have claims against the university under UK GDPR Newcastle University notified affected individuals and reported the breach to the ICO, as required by UK GDPR.

Weeks of System Disruption

Recovery from the DoppelPaymer attack took weeks — a common pattern in major university ransomware incidents. During this period, the university's IT systems were significantly disrupted. For Newcastle University, the timing — immediately before the start of the 2020 academic year — meant the disruption coincided with peak demand for student registration, enrollment, and course setup systems. The attack also disrupted research operations. Universities hold research data of significant value — intellectual property, clinical trial data, commercially sensitive project information — that requires specialised backup and recovery processes beyond standard administrative systems.

Lessons for UK Universities

Newcastle University's experience highlights the specific risks faced by UK research universities: - Research IP theft: universities hold commercially and academically valuable research data that attackers can monetise through dark web publication or sale to competitors - Academic calendar vulnerability: attacks timed for September create maximum operational impact - International student data: universities hold data for thousands of international students, creating complex GDPR and cross-border notification obligations - JISC Janet network: while Janet provides network-level protection, it does not prevent attacks delivered via phishing or compromised credentials - Double extortion is now standard: not paying the ransom does not prevent data publication — it must be assumed that data exfiltrated will be published

Frequently Asked Questions