In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDER’s inception, CrowdStrike Intelligence observed multiple BGH incidents attributed to the group, with the largest known ransomware demand being 250 BTC. Other demands were not nearly as high, suggesting that the group conducts network reconnaissance to determine the value of the victim organization.
2023-03-06 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20230306:core:c40e225,
author = {Bill Toulas},
title = {{Core DoppelPaymer ransomware gang members targeted in Europol operation}},
date = {2023-03-06},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/},
language = {English},
urldate = {2023-03-17}
}
Core DoppelPaymer ransomware gang members targeted in Europol operation DoppelPaymer |
2023-03-06 ⋅ Landeskriminalamt NRW ⋅ Landeskriminalamt NRW @online{nrw:20230306:schlag:5e5d84b,
author = {Landeskriminalamt NRW},
title = {{Schlag gegen international agierendes Netzwerk von Cyber-Kriminellen}},
date = {2023-03-06},
organization = {Landeskriminalamt NRW},
url = {https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen},
language = {German},
urldate = {2023-03-23}
}
Schlag gegen international agierendes Netzwerk von Cyber-Kriminellen DoppelPaymer Entropy FriedEx |
2022-06-13 ⋅ Jorge Testa ⋅ Jorge Testa @online{testa:20220613:killing:36e9385,
author = {Jorge Testa},
title = {{Killing The Bear - Evil Corp}},
date = {2022-06-13},
organization = {Jorge Testa},
url = {https://killingthebear.jorgetesta.tech/actors/evil-corp},
language = {English},
urldate = {2022-07-01}
}
Killing The Bear - Evil Corp FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker |
2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence @online{intelligence:20220602:to:e15831c,
author = {Mandiant Intelligence},
title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}},
date = {2022-06-02},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions},
language = {English},
urldate = {2022-06-04}
}
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker |
2022-04-20 ⋅ CISA ⋅ CISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA) @techreport{cisa:20220420:aa22110a:4fde5d6,
author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)},
title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}},
date = {2022-04-20},
institution = {CISA},
url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf},
language = {English},
urldate = {2022-04-25}
}
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader |
2022-04-20 ⋅ CISA ⋅ CISA @online{cisa:20220420:alert:529e28c,
author = {CISA},
title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}},
date = {2022-04-20},
organization = {CISA},
url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a},
language = {English},
urldate = {2022-04-25}
}
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet |
2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team @techreport{team:20220316:ransomware:1c2a72a,
author = {Symantec Threat Hunter Team},
title = {{The Ransomware Threat Landscape: What to Expect in 2022}},
date = {2022-03-16},
institution = {Symantec},
url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf},
language = {English},
urldate = {2022-03-22}
}
The Ransomware Threat Landscape: What to Expect in 2022 AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin |
2022-01-05 ⋅ ARMOR ⋅ Armor @online{armor:20220105:threat:178f0e9,
author = {Armor},
title = {{Threat Intelligence Report: The Evolution of Doppel Spider from BitPaymer to Grief Ransomware}},
date = {2022-01-05},
organization = {ARMOR},
url = {https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/},
language = {English},
urldate = {2022-01-12}
}
Threat Intelligence Report: The Evolution of Doppel Spider from BitPaymer to Grief Ransomware DoppelPaymer FriedEx |
2021-12-30 ⋅ LIFARS ⋅ Vlad Pasca @techreport{pasca:20211230:deep:a307971,
author = {Vlad Pasca},
title = {{A Deep Dive into The Grief Ransomware’s Capabilities}},
date = {2021-12-30},
institution = {LIFARS},
url = {https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf},
language = {English},
urldate = {2022-01-25}
}
A Deep Dive into The Grief Ransomware’s Capabilities DoppelPaymer |
2021-12-20 ⋅ InQuest ⋅ Nick Chalard @online{chalard:20211220:dont:0aad3db,
author = {Nick Chalard},
title = {{(Don't) Bring Dridex Home for the Holidays}},
date = {2021-12-20},
organization = {InQuest},
url = {https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays},
language = {English},
urldate = {2021-12-22}
}
(Don't) Bring Dridex Home for the Holidays DoppelDridex Dridex |
2021-12-20 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20211220:log4j:1a80230,
author = {Lawrence Abrams},
title = {{Log4j vulnerability now used to install Dridex banking malware}},
date = {2021-12-20},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/},
language = {English},
urldate = {2021-12-21}
}
Log4j vulnerability now used to install Dridex banking malware DoppelDridex Meterpreter |
2021-12-07 ⋅ CrowdStrike ⋅ Shaun Hurley @online{hurley:20211207:critical:959de2e,
author = {Shaun Hurley},
title = {{Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes}},
date = {2021-12-07},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/},
language = {English},
urldate = {2021-12-08}
}
Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes DoppelPaymer |
2021-11-21 ⋅ Cyber-Anubis ⋅ Nidal Fikri @online{fikri:20211121:dridex:b9218fa,
author = {Nidal Fikri},
title = {{Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction}},
date = {2021-11-21},
organization = {Cyber-Anubis},
url = {https://cyber-anubis.github.io/malware%20analysis/dridex/},
language = {English},
urldate = {2021-12-01}
}
Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction DoppelDridex Dridex |
2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20211105:hunter:3c7bab9,
author = {The BlackBerry Research & Intelligence Team},
title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}},
date = {2021-11-05},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/11/zebra2104},
language = {English},
urldate = {2021-11-08}
}
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity |
2021-11-03 ⋅ CERT-FR ⋅ ANSSI @online{anssi:20211103:identification:3143cbb,
author = {ANSSI},
title = {{Identification of a new cybercriminal group: Lockean}},
date = {2021-11-03},
organization = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/},
language = {English},
urldate = {2021-11-03}
}
Identification of a new cybercriminal group: Lockean DoppelPaymer Egregor Maze PwndLocker REvil |
2021-11-03 ⋅ Team Cymru ⋅ tcblogposts @online{tcblogposts:20211103:webinject:f4d41bb,
author = {tcblogposts},
title = {{Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance}},
date = {2021-11-03},
organization = {Team Cymru},
url = {https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/},
language = {English},
urldate = {2021-11-08}
}
Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance DoppelDridex IcedID QakBot Zloader |
2021-10-28 ⋅ Proofpoint ⋅ Axel F, Selena Larson @online{f:20211028:ta575:c1cfdd7,
author = {Axel F and Selena Larson},
title = {{TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware}},
date = {2021-10-28},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware},
language = {English},
urldate = {2021-11-03}
}
TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware DoppelDridex |
2021-10-28 ⋅ Twitter (@BrettCallow) ⋅ Brett Callow @online{callow:20211028:suspected:ae61e43,
author = {Brett Callow},
title = {{Tweet on suspected actor behind Payorgrief ransomware}},
date = {2021-10-28},
organization = {Twitter (@BrettCallow)},
url = {https://twitter.com/BrettCallow/status/1453557686830727177?s=20},
language = {English},
urldate = {2021-11-08}
}
Tweet on suspected actor behind Payorgrief ransomware DoppelDridex DoppelPaymer |
2021-10-26 ⋅ ANSSI @techreport{anssi:20211026:identification:9444ac3,
author = {ANSSI},
title = {{Identification of a new cyber criminal group: Lockean}},
date = {2021-10-26},
institution = {},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf},
language = {English},
urldate = {2022-01-25}
}
Identification of a new cyber criminal group: Lockean Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil |
2021-10-26 ⋅ 0ffset Blog ⋅ Chuong Dong @online{dong:20211026:dridex:e054dc4,
author = {Chuong Dong},
title = {{DRIDEX: Analysing API Obfuscation Through VEH}},
date = {2021-10-26},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/},
language = {English},
urldate = {2021-11-03}
}
DRIDEX: Analysing API Obfuscation Through VEH DoppelDridex |
2021-09-27 ⋅ Security Soup Blog ⋅ Ryan Campbell @online{campbell:20210927:doppeldridex:daa5f69,
author = {Ryan Campbell},
title = {{DoppelDridex Delivered via Slack and Discord}},
date = {2021-09-27},
organization = {Security Soup Blog},
url = {https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/},
language = {English},
urldate = {2021-09-29}
}
DoppelDridex Delivered via Slack and Discord DoppelDridex |
2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team @online{team:20210914:big:b345561,
author = {CrowdStrike Intelligence Team},
title = {{Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack}},
date = {2021-09-14},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/},
language = {English},
urldate = {2021-09-19}
}
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil |
2021-09-10 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20210910:new:25d8475,
author = {Xiaopeng Zhang},
title = {{New Dridex Variant Being Spread By Crafted Excel Document}},
date = {2021-09-10},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true},
language = {English},
urldate = {2021-09-12}
}
New Dridex Variant Being Spread By Crafted Excel Document DoppelDridex |
2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team @techreport{team:20210815:ransomware:f799696,
author = {Threat Hunter Team},
title = {{The Ransomware Threat}},
date = {2021-08-15},
institution = {Symantec},
url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf},
language = {English},
urldate = {2021-12-15}
}
The Ransomware Threat Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker |
2021-08-05 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Dan Cotton @online{lambert:20210805:when:aeb7b10,
author = {Tony Lambert and Brian Donohue and Dan Cotton},
title = {{When Dridex and Cobalt Strike give you Grief}},
date = {2021-08-05},
organization = {Red Canary},
url = {https://redcanary.com/blog/grief-ransomware/},
language = {English},
urldate = {2021-09-10}
}
When Dridex and Cobalt Strike give you Grief Cobalt Strike DoppelDridex DoppelPaymer |
2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20210805:ransomware:0962b82,
author = {Brian Krebs},
title = {{Ransomware Gangs and the Name Game Distraction}},
date = {2021-08-05},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/},
language = {English},
urldate = {2021-12-13}
}
Ransomware Gangs and the Name Game Distraction DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet |
2021-07-28 ⋅ Zscaler ⋅ Brett Stone-Gross @online{stonegross:20210728:doppelpaymer:5deeffe,
author = {Brett Stone-Gross},
title = {{DoppelPaymer Continues to Cause Grief Through Rebranding}},
date = {2021-07-28},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding},
language = {English},
urldate = {2021-08-02}
}
DoppelPaymer Continues to Cause Grief Through Rebranding DoppelPaymer |
2021-05-10 ⋅ DarkTracer ⋅ DarkTracer @online{darktracer:20210510:intelligence:b9d1c3f,
author = {DarkTracer},
title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}},
date = {2021-05-10},
organization = {DarkTracer},
url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3},
language = {English},
urldate = {2021-05-13}
}
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX |
2021-04-25 ⋅ Vulnerability.ch Blog ⋅ Corsin Camichel @online{camichel:20210425:ransomware:1a1ee7f,
author = {Corsin Camichel},
title = {{Ransomware and Data Leak Site Publication Time Analysis}},
date = {2021-04-25},
organization = {Vulnerability.ch Blog},
url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/},
language = {English},
urldate = {2021-04-29}
}
Ransomware and Data Leak Site Publication Time Analysis Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil |
2021-04-23 ⋅ Twitter (@vikas891) ⋅ Vikas Singh @online{singh:20210423:doppel:1bfd6da,
author = {Vikas Singh},
title = {{Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals}},
date = {2021-04-23},
organization = {Twitter (@vikas891)},
url = {https://twitter.com/vikas891/status/1385306823662587905},
language = {English},
urldate = {2021-05-25}
}
Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals Cobalt Strike DoppelPaymer |
2021-04-22 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie @online{mackenzie:20210422:twwet:62355c6,
author = {Peter Mackenzie},
title = {{Twwet On TTPs seen in IR used by DOPPEL SPIDER}},
date = {2021-04-22},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1385103712918642688},
language = {English},
urldate = {2021-05-25}
}
Twwet On TTPs seen in IR used by DOPPEL SPIDER Cobalt Strike DoppelPaymer |
2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42 @techreport{unit42:20210317:ransomware:504cc32,
author = {Unit42},
title = {{Ransomware Threat Report 2021}},
date = {2021-03-17},
institution = {Palo Alto Networks Unit 42},
url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf},
language = {English},
urldate = {2021-03-19}
}
Ransomware Threat Report 2021 RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker |
2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev @techreport{skulkin:202103:ransomware:992ca10,
author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev},
title = {{Ransomware Uncovered 2020/2021}},
date = {2021-03},
institution = {Group-IB},
url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf},
language = {English},
urldate = {2021-06-16}
}
Ransomware Uncovered 2020/2021 RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-15 ⋅ Medium s2wlab ⋅ Sojun Ryu @online{ryu:20210215:operation:b0712b0,
author = {Sojun Ryu},
title = {{Operation SyncTrek}},
date = {2021-02-15},
organization = {Medium s2wlab},
url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167},
language = {English},
urldate = {2021-09-02}
}
Operation SyncTrek AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker |
2021-02-04 ⋅ Chainanalysis ⋅ Chainalysis Team @online{team:20210204:blockchain:4e63b2f,
author = {Chainalysis Team},
title = {{Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains}},
date = {2021-02-04},
organization = {Chainanalysis},
url = {https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer},
language = {English},
urldate = {2021-02-06}
}
Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains DoppelPaymer Egregor Maze SunCrypt |
2021-01-05 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20210105:overview:1f90b7c,
author = {Trend Micro Research},
title = {{An Overview of the DoppelPaymer Ransomware}},
date = {2021-01-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html},
language = {English},
urldate = {2021-01-11}
}
An Overview of the DoppelPaymer Ransomware DoppelPaymer |
2021 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2021:threat:98f1049,
author = {SecureWorks},
title = {{Threat Profile: GOLD HERON}},
date = {2021},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-heron},
language = {English},
urldate = {2021-05-31}
}
Threat Profile: GOLD HERON DoppelPaymer Dridex Empire Downloader DOPPEL SPIDER |
2020-12-10 ⋅ FBI ⋅ FBI @techreport{fbi:20201210:pin:8657b3e,
author = {FBI},
title = {{PIN Number 20201210-001: DoppelPaymer Ransomware Attacks on Critical Infrastructure Impact Critical Services}},
date = {2020-12-10},
institution = {FBI},
url = {https://www.ic3.gov/Media/News/2020/201215-1.pdf},
language = {English},
urldate = {2020-12-19}
}
PIN Number 20201210-001: DoppelPaymer Ransomware Attacks on Critical Infrastructure Impact Critical Services DoppelPaymer |
2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201209:its:c312acc,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}},
date = {2020-12-09},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf},
language = {English},
urldate = {2020-12-15}
}
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES) Cobalt Strike DoppelPaymer QakBot REvil |
2020-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20201207:foxconn:307c147,
author = {Lawrence Abrams},
title = {{Foxconn electronics giant hit by ransomware, $34 million ransom}},
date = {2020-12-07},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/},
language = {English},
urldate = {2020-12-08}
}
Foxconn electronics giant hit by ransomware, $34 million ransom DoppelPaymer |
2020-12-01 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201201:steal:db9aadd,
author = {Intel 471},
title = {{Steal, then strike: Access merchants are first clues to future ransomware attacks}},
date = {2020-12-01},
organization = {Intel 471},
url = {https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/},
language = {English},
urldate = {2020-12-17}
}
Steal, then strike: Access merchants are first clues to future ransomware attacks DoppelPaymer |
2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201130:its:1b6b681,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations}},
date = {2020-11-30},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf},
language = {English},
urldate = {2020-12-14}
}
It's not FINished The Evolving Maturity in Ransomware Operations Cobalt Strike DoppelPaymer MimiKatz QakBot REvil |
2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20201120:malware:0b8ff59,
author = {Catalin Cimpanu},
title = {{The malware that usually installs ransomware and you need to remove right away}},
date = {2020-11-20},
organization = {ZDNet},
url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/},
language = {English},
urldate = {2020-11-23}
}
The malware that usually installs ransomware and you need to remove right away Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich @online{kivilevich:20201118:zooming:f28a9c1,
author = {Victoria Kivilevich},
title = {{Zooming into Darknet Threats Targeting Japanese Organizations}},
date = {2020-11-18},
organization = {KELA},
url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/},
language = {English},
urldate = {2020-11-19}
}
Zooming into Darknet Threats Targeting Japanese Organizations Conti DoppelPaymer Egregor LockBit Maze REvil Snake |
2020-11-16 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201116:ransomwareasaservice:11a5a8b,
author = {Intel 471},
title = {{Ransomware-as-a-service: The pandemic within a pandemic}},
date = {2020-11-16},
organization = {Intel 471},
url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/},
language = {English},
urldate = {2020-11-17}
}
Ransomware-as-a-service: The pandemic within a pandemic Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX |
2020-11-09 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20201109:laptop:fa3207d,
author = {Lawrence Abrams},
title = {{Laptop maker Compal hit by ransomware, $17 million demanded}},
date = {2020-11-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/},
language = {English},
urldate = {2020-11-11}
}
Laptop maker Compal hit by ransomware, $17 million demanded DoppelPaymer |
2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20201109:fake:c6dd7b3,
author = {Ionut Ilascu},
title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}},
date = {2020-11-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/},
language = {English},
urldate = {2020-11-11}
}
Fake Microsoft Teams updates lead to Cobalt Strike deployment Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader |
2020-10-23 ⋅ AP News ⋅ Frank Bajak @online{bajak:20201023:report:7bb3ff0,
author = {Frank Bajak},
title = {{Report: Ransomware disables Georgia county election database}},
date = {2020-10-23},
organization = {AP News},
url = {https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c},
language = {English},
urldate = {2020-11-02}
}
Report: Ransomware disables Georgia county election database DoppelPaymer |
2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab @online{lab:20201023:leakwareransomwarehybrid:ae1de8e,
author = {Hornetsecurity Security Lab},
title = {{Leakware-Ransomware-Hybrid Attacks}},
date = {2020-10-23},
organization = {Hornetsecurity},
url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/},
language = {English},
urldate = {2020-12-08}
}
Leakware-Ransomware-Hybrid Attacks Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt |
2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich @online{kivilevich:20201001:to:fd3aa09,
author = {Victoria Kivilevich},
title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}},
date = {2020-10-01},
organization = {KELA},
url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/},
language = {English},
urldate = {2021-05-07}
}
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt |
2020-09-29 ⋅ PWC UK ⋅ Andy Auld @online{auld:20200929:whats:2782a62,
author = {Andy Auld},
title = {{What's behind the increase in ransomware attacks this year?}},
date = {2020-09-29},
organization = {PWC UK},
url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html},
language = {English},
urldate = {2021-05-25}
}
What's behind the increase in ransomware attacks this year? DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker |
2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team @online{team:20200925:double:fe3b093,
author = {The Crowdstrike Intel Team},
title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}},
date = {2020-09-25},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/},
language = {English},
urldate = {2020-10-02}
}
Double Trouble: Ransomware with Data Leak Extortion, Part 1 DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER |
2020-09-24 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team @online{team:20200924:double:3b3ade6,
author = {CrowdStrike Intelligence Team},
title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}},
date = {2020-09-24},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1},
language = {English},
urldate = {2021-05-31}
}
Double Trouble: Ransomware with Data Leak Extortion, Part 1 DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER |
2020-09-22 ⋅ Heise Security ⋅ Olivia von Westernhagen @online{westernhagen:20200922:uniklinik:bae1c32,
author = {Olivia von Westernhagen},
title = {{Uniklinik Düsseldorf: Ransomware "DoppelPaymer" soll hinter dem Angriff stecken}},
date = {2020-09-22},
organization = {Heise Security},
url = {https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html},
language = {German},
urldate = {2020-09-23}
}
Uniklinik Düsseldorf: Ransomware "DoppelPaymer" soll hinter dem Angriff stecken DoppelPaymer |
2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich @online{kivilevich:20200825:how:5db6a82,
author = {Victoria Kivilevich},
title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}},
date = {2020-08-25},
organization = {KELA},
url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/},
language = {English},
urldate = {2021-05-07}
}
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet |
2020-08 ⋅ Temple University ⋅ CARE @online{care:202008:critical:415c34d,
author = {CARE},
title = {{Critical Infrastructure Ransomware Attacks}},
date = {2020-08},
organization = {Temple University},
url = {https://sites.temple.edu/care/ci-rw-attacks/},
language = {English},
urldate = {2020-09-15}
}
Critical Infrastructure Ransomware Attacks CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor |
2020-07-17 ⋅ CERT-FR ⋅ CERT-FR @techreport{certfr:20200717:malware:5c58cdf,
author = {CERT-FR},
title = {{The Malware Dridex: Origins and Uses}},
date = {2020-07-17},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf},
language = {English},
urldate = {2020-07-20}
}
The Malware Dridex: Origins and Uses Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus |
2020-07-15 ⋅ Mandiant ⋅ Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt @online{brubaker:20200715:financially:f217555,
author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt},
title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}},
date = {2020-07-15},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot},
language = {English},
urldate = {2022-07-28}
}
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake |
2020-06-03 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200603:ransomware:116ecb8,
author = {Catalin Cimpanu},
title = {{Ransomware gang says it breached one of NASA's IT contractors}},
date = {2020-06-03},
organization = {ZDNet},
url = {https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/},
language = {English},
urldate = {2020-06-03}
}
Ransomware gang says it breached one of NASA's IT contractors DoppelPaymer |
2020-03-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200324:three:fb92d03,
author = {Lawrence Abrams},
title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}},
date = {2020-03-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/},
language = {English},
urldate = {2020-03-26}
}
Three More Ransomware Families Create Sites to Leak Stolen Data Clop DoppelPaymer Maze Nefilim Nemty REvil |
2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team @online{team:20200305:humanoperated:d90a28e,
author = {Microsoft Threat Protection Intelligence Team},
title = {{Human-operated ransomware attacks: A preventable disaster}},
date = {2020-03-05},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/},
language = {English},
urldate = {2020-03-06}
}
Human-operated ransomware attacks: A preventable disaster Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
2020-03-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200303:ransomware:8be6fa7,
author = {Lawrence Abrams},
title = {{Ransomware Attackers Use Your Cloud Backups Against You}},
date = {2020-03-03},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/},
language = {English},
urldate = {2020-03-04}
}
Ransomware Attackers Use Your Cloud Backups Against You DoppelPaymer Maze |
2020-03-02 ⋅ TechCrunch ⋅ Zack Whittaker, Kirsten Korosec @online{whittaker:20200302:visser:7a6d06b,
author = {Zack Whittaker and Kirsten Korosec},
title = {{Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach}},
date = {2020-03-02},
organization = {TechCrunch},
url = {https://techcrunch.com/2020/03/01/visser-breach/},
language = {English},
urldate = {2020-03-09}
}
Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach DoppelPaymer |
2020-02-25 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200225:doppelpaymer:9ca20ab,
author = {Lawrence Abrams},
title = {{DoppelPaymer Ransomware Launches Site to Post Victim's Data}},
date = {2020-02-25},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/},
language = {English},
urldate = {2020-02-26}
}
DoppelPaymer Ransomware Launches Site to Post Victim's Data DoppelPaymer FriedEx |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:b12ae49,
author = {SecureWorks},
title = {{GOLD HERON}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-heron},
language = {English},
urldate = {2020-05-23}
}
GOLD HERON DoppelPaymer Dridex Empire Downloader |
2019-07-12 ⋅ CrowdStrike ⋅ Brett Stone-Gross, Sergei Frankoff, Bex Hartley @online{stonegross:20190712:bitpaymer:113a037,
author = {Brett Stone-Gross and Sergei Frankoff and Bex Hartley},
title = {{BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0}},
date = {2019-07-12},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/},
language = {English},
urldate = {2020-04-25}
}
BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0 DoppelPaymer Dridex FriedEx |