In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDER’s inception, CrowdStrike Intelligence observed multiple BGH incidents attributed to the group, with the largest known ransomware demand being 250 BTC. Other demands were not nearly as high, suggesting that the group conducts network reconnaissance to determine the value of the victim organization.
2023-03-06 ⋅ Bleeping Computer ⋅ Bill Toulas
@online{toulas:20230306:core:c40e225,
author = {Bill Toulas},
title = {{Core DoppelPaymer ransomware gang members targeted in Europol operation}},
date = {2023-03-06},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/},
language = {English},
urldate = {2023-03-17}
}
Core DoppelPaymer ransomware gang members targeted in Europol operation
DoppelPaymer |
2023-03-06 ⋅ Landeskriminalamt NRW ⋅ Landeskriminalamt NRW
@online{nrw:20230306:schlag:5e5d84b,
author = {Landeskriminalamt NRW},
title = {{Schlag gegen international agierendes Netzwerk von Cyber-Kriminellen}},
date = {2023-03-06},
organization = {Landeskriminalamt NRW},
url = {https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen},
language = {German},
urldate = {2023-03-23}
}
Schlag gegen international agierendes Netzwerk von Cyber-Kriminellen
DoppelPaymer Entropy FriedEx |
2022-06-13 ⋅ Jorge Testa ⋅ Jorge Testa
@online{testa:20220613:killing:36e9385,
author = {Jorge Testa},
title = {{Killing The Bear - Evil Corp}},
date = {2022-06-13},
organization = {Jorge Testa},
url = {https://killingthebear.jorgetesta.tech/actors/evil-corp},
language = {English},
urldate = {2022-07-01}
}
Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker |
2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence
@online{intelligence:20220602:to:e15831c,
author = {Mandiant Intelligence},
title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}},
date = {2022-06-02},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions},
language = {English},
urldate = {2022-06-04}
}
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker |
2022-04-20 ⋅ CISA ⋅ CISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6,
author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)},
title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}},
date = {2022-04-20},
institution = {CISA},
url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf},
language = {English},
urldate = {2022-04-25}
}
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader |
2022-04-20 ⋅ CISA ⋅ CISA
@online{cisa:20220420:alert:529e28c,
author = {CISA},
title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}},
date = {2022-04-20},
organization = {CISA},
url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a},
language = {English},
urldate = {2022-04-25}
}
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet |
2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a,
author = {Symantec Threat Hunter Team},
title = {{The Ransomware Threat Landscape: What to Expect in 2022}},
date = {2022-03-16},
institution = {Symantec},
url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf},
language = {English},
urldate = {2022-03-22}
}
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin |
2022-01-05 ⋅ ARMOR ⋅ Armor
@online{armor:20220105:threat:178f0e9,
author = {Armor},
title = {{Threat Intelligence Report: The Evolution of Doppel Spider from BitPaymer to Grief Ransomware}},
date = {2022-01-05},
organization = {ARMOR},
url = {https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/},
language = {English},
urldate = {2022-01-12}
}
Threat Intelligence Report: The Evolution of Doppel Spider from BitPaymer to Grief Ransomware
DoppelPaymer FriedEx |
2021-12-30 ⋅ LIFARS ⋅ Vlad Pasca
@techreport{pasca:20211230:deep:a307971,
author = {Vlad Pasca},
title = {{A Deep Dive into The Grief Ransomware’s Capabilities}},
date = {2021-12-30},
institution = {LIFARS},
url = {https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf},
language = {English},
urldate = {2022-01-25}
}
A Deep Dive into The Grief Ransomware’s Capabilities
DoppelPaymer |
2021-12-20 ⋅ InQuest ⋅ Nick Chalard
@online{chalard:20211220:dont:0aad3db,
author = {Nick Chalard},
title = {{(Don't) Bring Dridex Home for the Holidays}},
date = {2021-12-20},
organization = {InQuest},
url = {https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays},
language = {English},
urldate = {2021-12-22}
}
(Don't) Bring Dridex Home for the Holidays
DoppelDridex Dridex |
2021-12-20 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20211220:log4j:1a80230,
author = {Lawrence Abrams},
title = {{Log4j vulnerability now used to install Dridex banking malware}},
date = {2021-12-20},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/},
language = {English},
urldate = {2021-12-21}
}
Log4j vulnerability now used to install Dridex banking malware
DoppelDridex Meterpreter |
2021-12-07 ⋅ CrowdStrike ⋅ Shaun Hurley
@online{hurley:20211207:critical:959de2e,
author = {Shaun Hurley},
title = {{Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes}},
date = {2021-12-07},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/},
language = {English},
urldate = {2021-12-08}
}
Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes
DoppelPaymer |
2021-11-21 ⋅ Cyber-Anubis ⋅ Nidal Fikri
@online{fikri:20211121:dridex:b9218fa,
author = {Nidal Fikri},
title = {{Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction}},
date = {2021-11-21},
organization = {Cyber-Anubis},
url = {https://cyber-anubis.github.io/malware%20analysis/dridex/},
language = {English},
urldate = {2021-12-01}
}
Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction
DoppelDridex Dridex |
2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20211105:hunter:3c7bab9,
author = {The BlackBerry Research & Intelligence Team},
title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}},
date = {2021-11-05},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/11/zebra2104},
language = {English},
urldate = {2021-11-08}
}
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity |
2021-11-03 ⋅ CERT-FR ⋅ ANSSI
@online{anssi:20211103:identification:3143cbb,
author = {ANSSI},
title = {{Identification of a new cybercriminal group: Lockean}},
date = {2021-11-03},
organization = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/},
language = {English},
urldate = {2021-11-03}
}
Identification of a new cybercriminal group: Lockean
DoppelPaymer Egregor Maze PwndLocker REvil |
2021-11-03 ⋅ Team Cymru ⋅ tcblogposts
@online{tcblogposts:20211103:webinject:f4d41bb,
author = {tcblogposts},
title = {{Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance}},
date = {2021-11-03},
organization = {Team Cymru},
url = {https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/},
language = {English},
urldate = {2021-11-08}
}
Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader |
2021-10-28 ⋅ Proofpoint ⋅ Axel F, Selena Larson
@online{f:20211028:ta575:c1cfdd7,
author = {Axel F and Selena Larson},
title = {{TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware}},
date = {2021-10-28},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware},
language = {English},
urldate = {2021-11-03}
}
TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware
DoppelDridex |
2021-10-28 ⋅ Twitter (@BrettCallow) ⋅ Brett Callow
@online{callow:20211028:suspected:ae61e43,
author = {Brett Callow},
title = {{Tweet on suspected actor behind Payorgrief ransomware}},
date = {2021-10-28},
organization = {Twitter (@BrettCallow)},
url = {https://twitter.com/BrettCallow/status/1453557686830727177?s=20},
language = {English},
urldate = {2021-11-08}
}
Tweet on suspected actor behind Payorgrief ransomware
DoppelDridex DoppelPaymer |
2021-10-26 ⋅ ANSSI
@techreport{anssi:20211026:identification:9444ac3,
author = {ANSSI},
title = {{Identification of a new cyber criminal group: Lockean}},
date = {2021-10-26},
institution = {},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf},
language = {English},
urldate = {2022-01-25}
}
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil |
2021-10-26 ⋅ 0ffset Blog ⋅ Chuong Dong
@online{dong:20211026:dridex:e054dc4,
author = {Chuong Dong},
title = {{DRIDEX: Analysing API Obfuscation Through VEH}},
date = {2021-10-26},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/},
language = {English},
urldate = {2021-11-03}
}
DRIDEX: Analysing API Obfuscation Through VEH
DoppelDridex |
2021-09-27 ⋅ Security Soup Blog ⋅ Ryan Campbell
@online{campbell:20210927:doppeldridex:daa5f69,
author = {Ryan Campbell},
title = {{DoppelDridex Delivered via Slack and Discord}},
date = {2021-09-27},
organization = {Security Soup Blog},
url = {https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/},
language = {English},
urldate = {2021-09-29}
}
DoppelDridex Delivered via Slack and Discord
DoppelDridex |
2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
@online{team:20210914:big:b345561,
author = {CrowdStrike Intelligence Team},
title = {{Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack}},
date = {2021-09-14},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/},
language = {English},
urldate = {2021-09-19}
}
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil |
2021-09-10 ⋅ Fortinet ⋅ Xiaopeng Zhang
@online{zhang:20210910:new:25d8475,
author = {Xiaopeng Zhang},
title = {{New Dridex Variant Being Spread By Crafted Excel Document}},
date = {2021-09-10},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true},
language = {English},
urldate = {2021-09-12}
}
New Dridex Variant Being Spread By Crafted Excel Document
DoppelDridex |
2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
@techreport{team:20210815:ransomware:f799696,
author = {Threat Hunter Team},
title = {{The Ransomware Threat}},
date = {2021-08-15},
institution = {Symantec},
url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf},
language = {English},
urldate = {2021-12-15}
}
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker |
2021-08-05 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Dan Cotton
@online{lambert:20210805:when:aeb7b10,
author = {Tony Lambert and Brian Donohue and Dan Cotton},
title = {{When Dridex and Cobalt Strike give you Grief}},
date = {2021-08-05},
organization = {Red Canary},
url = {https://redcanary.com/blog/grief-ransomware/},
language = {English},
urldate = {2021-09-10}
}
When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer |
2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs
@online{krebs:20210805:ransomware:0962b82,
author = {Brian Krebs},
title = {{Ransomware Gangs and the Name Game Distraction}},
date = {2021-08-05},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/},
language = {English},
urldate = {2021-12-13}
}
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet |
2021-07-28 ⋅ Zscaler ⋅ Brett Stone-Gross
@online{stonegross:20210728:doppelpaymer:5deeffe,
author = {Brett Stone-Gross},
title = {{DoppelPaymer Continues to Cause Grief Through Rebranding}},
date = {2021-07-28},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding},
language = {English},
urldate = {2021-08-02}
}
DoppelPaymer Continues to Cause Grief Through Rebranding
DoppelPaymer |
2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f,
author = {DarkTracer},
title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}},
date = {2021-05-10},
organization = {DarkTracer},
url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3},
language = {English},
urldate = {2021-05-13}
}
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX |
2021-04-25 ⋅ Vulnerability.ch Blog ⋅ Corsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f,
author = {Corsin Camichel},
title = {{Ransomware and Data Leak Site Publication Time Analysis}},
date = {2021-04-25},
organization = {Vulnerability.ch Blog},
url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/},
language = {English},
urldate = {2021-04-29}
}
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil |
2021-04-23 ⋅ Twitter (@vikas891) ⋅ Vikas Singh
@online{singh:20210423:doppel:1bfd6da,
author = {Vikas Singh},
title = {{Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals}},
date = {2021-04-23},
organization = {Twitter (@vikas891)},
url = {https://twitter.com/vikas891/status/1385306823662587905},
language = {English},
urldate = {2021-05-25}
}
Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals
Cobalt Strike DoppelPaymer |
2021-04-22 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
@online{mackenzie:20210422:twwet:62355c6,
author = {Peter Mackenzie},
title = {{Twwet On TTPs seen in IR used by DOPPEL SPIDER}},
date = {2021-04-22},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1385103712918642688},
language = {English},
urldate = {2021-05-25}
}
Twwet On TTPs seen in IR used by DOPPEL SPIDER
Cobalt Strike DoppelPaymer |
2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
@techreport{unit42:20210317:ransomware:504cc32,
author = {Unit42},
title = {{Ransomware Threat Report 2021}},
date = {2021-03-17},
institution = {Palo Alto Networks Unit 42},
url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf},
language = {English},
urldate = {2021-03-19}
}
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker |
2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10,
author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev},
title = {{Ransomware Uncovered 2020/2021}},
date = {2021-03},
institution = {Group-IB},
url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf},
language = {English},
urldate = {2021-06-16}
}
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-15 ⋅ Medium s2wlab ⋅ Sojun Ryu
@online{ryu:20210215:operation:b0712b0,
author = {Sojun Ryu},
title = {{Operation SyncTrek}},
date = {2021-02-15},
organization = {Medium s2wlab},
url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167},
language = {English},
urldate = {2021-09-02}
}
Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker |
2021-02-04 ⋅ Chainanalysis ⋅ Chainalysis Team
@online{team:20210204:blockchain:4e63b2f,
author = {Chainalysis Team},
title = {{Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains}},
date = {2021-02-04},
organization = {Chainanalysis},
url = {https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer},
language = {English},
urldate = {2021-02-06}
}
Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt |
2021-01-05 ⋅ Trend Micro ⋅ Trend Micro Research
@online{research:20210105:overview:1f90b7c,
author = {Trend Micro Research},
title = {{An Overview of the DoppelPaymer Ransomware}},
date = {2021-01-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html},
language = {English},
urldate = {2021-01-11}
}
An Overview of the DoppelPaymer Ransomware
DoppelPaymer |
2021 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2021:threat:98f1049,
author = {SecureWorks},
title = {{Threat Profile: GOLD HERON}},
date = {2021},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-heron},
language = {English},
urldate = {2021-05-31}
}
Threat Profile: GOLD HERON
DoppelPaymer Dridex Empire Downloader DOPPEL SPIDER |
2020-12-10 ⋅ FBI ⋅ FBI
@techreport{fbi:20201210:pin:8657b3e,
author = {FBI},
title = {{PIN Number 20201210-001: DoppelPaymer Ransomware Attacks on Critical Infrastructure Impact Critical Services}},
date = {2020-12-10},
institution = {FBI},
url = {https://www.ic3.gov/Media/News/2020/201215-1.pdf},
language = {English},
urldate = {2020-12-19}
}
PIN Number 20201210-001: DoppelPaymer Ransomware Attacks on Critical Infrastructure Impact Critical Services
DoppelPaymer |
2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
@techreport{clarke:20201209:its:c312acc,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}},
date = {2020-12-09},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf},
language = {English},
urldate = {2020-12-15}
}
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil |
2020-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201207:foxconn:307c147,
author = {Lawrence Abrams},
title = {{Foxconn electronics giant hit by ransomware, $34 million ransom}},
date = {2020-12-07},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/},
language = {English},
urldate = {2020-12-08}
}
Foxconn electronics giant hit by ransomware, $34 million ransom
DoppelPaymer |
2020-12-01 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201201:steal:db9aadd,
author = {Intel 471},
title = {{Steal, then strike: Access merchants are first clues to future ransomware attacks}},
date = {2020-12-01},
organization = {Intel 471},
url = {https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/},
language = {English},
urldate = {2020-12-17}
}
Steal, then strike: Access merchants are first clues to future ransomware attacks
DoppelPaymer |
2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations}},
date = {2020-11-30},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf},
language = {English},
urldate = {2020-12-14}
}
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil |
2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59,
author = {Catalin Cimpanu},
title = {{The malware that usually installs ransomware and you need to remove right away}},
date = {2020-11-20},
organization = {ZDNet},
url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/},
language = {English},
urldate = {2020-11-23}
}
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1,
author = {Victoria Kivilevich},
title = {{Zooming into Darknet Threats Targeting Japanese Organizations}},
date = {2020-11-18},
organization = {KELA},
url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/},
language = {English},
urldate = {2020-11-19}
}
Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake |
2020-11-16 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b,
author = {Intel 471},
title = {{Ransomware-as-a-service: The pandemic within a pandemic}},
date = {2020-11-16},
organization = {Intel 471},
url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/},
language = {English},
urldate = {2020-11-17}
}
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX |
2020-11-09 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201109:laptop:fa3207d,
author = {Lawrence Abrams},
title = {{Laptop maker Compal hit by ransomware, $17 million demanded}},
date = {2020-11-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/},
language = {English},
urldate = {2020-11-11}
}
Laptop maker Compal hit by ransomware, $17 million demanded
DoppelPaymer |
2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20201109:fake:c6dd7b3,
author = {Ionut Ilascu},
title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}},
date = {2020-11-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/},
language = {English},
urldate = {2020-11-11}
}
Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader |
2020-10-23 ⋅ AP News ⋅ Frank Bajak
@online{bajak:20201023:report:7bb3ff0,
author = {Frank Bajak},
title = {{Report: Ransomware disables Georgia county election database}},
date = {2020-10-23},
organization = {AP News},
url = {https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c},
language = {English},
urldate = {2020-11-02}
}
Report: Ransomware disables Georgia county election database
DoppelPaymer |
2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e,
author = {Hornetsecurity Security Lab},
title = {{Leakware-Ransomware-Hybrid Attacks}},
date = {2020-10-23},
organization = {Hornetsecurity},
url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/},
language = {English},
urldate = {2020-12-08}
}
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt |
2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich
@online{kivilevich:20201001:to:fd3aa09,
author = {Victoria Kivilevich},
title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}},
date = {2020-10-01},
organization = {KELA},
url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/},
language = {English},
urldate = {2021-05-07}
}
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt |
2020-09-29 ⋅ PWC UK ⋅ Andy Auld
@online{auld:20200929:whats:2782a62,
author = {Andy Auld},
title = {{What's behind the increase in ransomware attacks this year?}},
date = {2020-09-29},
organization = {PWC UK},
url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html},
language = {English},
urldate = {2021-05-25}
}
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker |
2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
@online{team:20200925:double:fe3b093,
author = {The Crowdstrike Intel Team},
title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}},
date = {2020-09-25},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/},
language = {English},
urldate = {2020-10-02}
}
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER |
2020-09-24 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
@online{team:20200924:double:3b3ade6,
author = {CrowdStrike Intelligence Team},
title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}},
date = {2020-09-24},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1},
language = {English},
urldate = {2021-05-31}
}
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER |
2020-09-22 ⋅ Heise Security ⋅ Olivia von Westernhagen
@online{westernhagen:20200922:uniklinik:bae1c32,
author = {Olivia von Westernhagen},
title = {{Uniklinik Düsseldorf: Ransomware "DoppelPaymer" soll hinter dem Angriff stecken}},
date = {2020-09-22},
organization = {Heise Security},
url = {https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html},
language = {German},
urldate = {2020-09-23}
}
Uniklinik Düsseldorf: Ransomware "DoppelPaymer" soll hinter dem Angriff stecken
DoppelPaymer |
2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich
@online{kivilevich:20200825:how:5db6a82,
author = {Victoria Kivilevich},
title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}},
date = {2020-08-25},
organization = {KELA},
url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/},
language = {English},
urldate = {2021-05-07}
}
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet |
2020-08 ⋅ Temple University ⋅ CARE
@online{care:202008:critical:415c34d,
author = {CARE},
title = {{Critical Infrastructure Ransomware Attacks}},
date = {2020-08},
organization = {Temple University},
url = {https://sites.temple.edu/care/ci-rw-attacks/},
language = {English},
urldate = {2020-09-15}
}
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor |
2020-07-17 ⋅ CERT-FR ⋅ CERT-FR
@techreport{certfr:20200717:malware:5c58cdf,
author = {CERT-FR},
title = {{The Malware Dridex: Origins and Uses}},
date = {2020-07-17},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf},
language = {English},
urldate = {2020-07-20}
}
The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus |
2020-07-15 ⋅ Mandiant ⋅ Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555,
author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt},
title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}},
date = {2020-07-15},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot},
language = {English},
urldate = {2022-07-28}
}
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake |
2020-06-03 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20200603:ransomware:116ecb8,
author = {Catalin Cimpanu},
title = {{Ransomware gang says it breached one of NASA's IT contractors}},
date = {2020-06-03},
organization = {ZDNet},
url = {https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/},
language = {English},
urldate = {2020-06-03}
}
Ransomware gang says it breached one of NASA's IT contractors
DoppelPaymer |
2020-03-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200324:three:fb92d03,
author = {Lawrence Abrams},
title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}},
date = {2020-03-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/},
language = {English},
urldate = {2020-03-26}
}
Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil |
2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e,
author = {Microsoft Threat Protection Intelligence Team},
title = {{Human-operated ransomware attacks: A preventable disaster}},
date = {2020-03-05},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/},
language = {English},
urldate = {2020-03-06}
}
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
2020-03-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200303:ransomware:8be6fa7,
author = {Lawrence Abrams},
title = {{Ransomware Attackers Use Your Cloud Backups Against You}},
date = {2020-03-03},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/},
language = {English},
urldate = {2020-03-04}
}
Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze |
2020-03-02 ⋅ TechCrunch ⋅ Zack Whittaker, Kirsten Korosec
@online{whittaker:20200302:visser:7a6d06b,
author = {Zack Whittaker and Kirsten Korosec},
title = {{Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach}},
date = {2020-03-02},
organization = {TechCrunch},
url = {https://techcrunch.com/2020/03/01/visser-breach/},
language = {English},
urldate = {2020-03-09}
}
Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach
DoppelPaymer |
2020-02-25 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200225:doppelpaymer:9ca20ab,
author = {Lawrence Abrams},
title = {{DoppelPaymer Ransomware Launches Site to Post Victim's Data}},
date = {2020-02-25},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/},
language = {English},
urldate = {2020-02-26}
}
DoppelPaymer Ransomware Launches Site to Post Victim's Data
DoppelPaymer FriedEx |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:b12ae49,
author = {SecureWorks},
title = {{GOLD HERON}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-heron},
language = {English},
urldate = {2020-05-23}
}
GOLD HERON
DoppelPaymer Dridex Empire Downloader |
2019-07-12 ⋅ CrowdStrike ⋅ Brett Stone-Gross, Sergei Frankoff, Bex Hartley
@online{stonegross:20190712:bitpaymer:113a037,
author = {Brett Stone-Gross and Sergei Frankoff and Bex Hartley},
title = {{BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0}},
date = {2019-07-12},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/},
language = {English},
urldate = {2020-04-25}
}
BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelPaymer Dridex FriedEx |