SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doppelpaymer (Back to overview)

DoppelPaymer

aka: Pay OR Grief

Actor(s): DOPPEL SPIDER


Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt".

References
2023-03-06Bleeping ComputerBill Toulas
@online{toulas:20230306:core:c40e225, author = {Bill Toulas}, title = {{Core DoppelPaymer ransomware gang members targeted in Europol operation}}, date = {2023-03-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/}, language = {English}, urldate = {2023-03-17} } Core DoppelPaymer ransomware gang members targeted in Europol operation
DoppelPaymer
2023-03-06Landeskriminalamt NRWLandeskriminalamt NRW
@online{nrw:20230306:schlag:5e5d84b, author = {Landeskriminalamt NRW}, title = {{Schlag gegen international agierendes Netzwerk von Cyber-Kriminellen}}, date = {2023-03-06}, organization = {Landeskriminalamt NRW}, url = {https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen}, language = {German}, urldate = {2023-03-23} } Schlag gegen international agierendes Netzwerk von Cyber-Kriminellen
DoppelPaymer Entropy FriedEx
2022-06-13Jorge TestaJorge Testa
@online{testa:20220613:killing:36e9385, author = {Jorge Testa}, title = {{Killing The Bear - Evil Corp}}, date = {2022-06-13}, organization = {Jorge Testa}, url = {https://killingthebear.jorgetesta.tech/actors/evil-corp}, language = {English}, urldate = {2022-07-01} } Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-06-02MandiantMandiant Intelligence
@online{intelligence:20220602:to:e15831c, author = {Mandiant Intelligence}, title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions}, language = {English}, urldate = {2022-06-04} } To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-01-05ARMORArmor
@online{armor:20220105:threat:178f0e9, author = {Armor}, title = {{Threat Intelligence Report: The Evolution of Doppel Spider from BitPaymer to Grief Ransomware}}, date = {2022-01-05}, organization = {ARMOR}, url = {https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/}, language = {English}, urldate = {2022-01-12} } Threat Intelligence Report: The Evolution of Doppel Spider from BitPaymer to Grief Ransomware
DoppelPaymer FriedEx
2021-12-30LIFARSVlad Pasca
@techreport{pasca:20211230:deep:a307971, author = {Vlad Pasca}, title = {{A Deep Dive into The Grief Ransomware’s Capabilities}}, date = {2021-12-30}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf}, language = {English}, urldate = {2022-01-25} } A Deep Dive into The Grief Ransomware’s Capabilities
DoppelPaymer
2021-12-07CrowdStrikeShaun Hurley
@online{hurley:20211207:critical:959de2e, author = {Shaun Hurley}, title = {{Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes}}, date = {2021-12-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/}, language = {English}, urldate = {2021-12-08} } Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes
DoppelPaymer
2021-11-03CERT-FRANSSI
@online{anssi:20211103:identification:3143cbb, author = {ANSSI}, title = {{Identification of a new cybercriminal group: Lockean}}, date = {2021-11-03}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/}, language = {English}, urldate = {2021-11-03} } Identification of a new cybercriminal group: Lockean
DoppelPaymer Egregor Maze PwndLocker REvil
2021-10-28Twitter (@BrettCallow)Brett Callow
@online{callow:20211028:suspected:ae61e43, author = {Brett Callow}, title = {{Tweet on suspected actor behind Payorgrief ransomware}}, date = {2021-10-28}, organization = {Twitter (@BrettCallow)}, url = {https://twitter.com/BrettCallow/status/1453557686830727177?s=20}, language = {English}, urldate = {2021-11-08} } Tweet on suspected actor behind Payorgrief ransomware
DoppelDridex DoppelPaymer
2021-10-26ANSSI
@techreport{anssi:20211026:identification:9444ac3, author = {ANSSI}, title = {{Identification of a new cyber criminal group: Lockean}}, date = {2021-10-26}, institution = {}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf}, language = {English}, urldate = {2022-01-25} } Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil
2021-09-14CrowdStrikeCrowdStrike Intelligence Team
@online{team:20210914:big:b345561, author = {CrowdStrike Intelligence Team}, title = {{Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack}}, date = {2021-09-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/}, language = {English}, urldate = {2021-09-19} } Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-05Red CanaryTony Lambert, Brian Donohue, Dan Cotton
@online{lambert:20210805:when:aeb7b10, author = {Tony Lambert and Brian Donohue and Dan Cotton}, title = {{When Dridex and Cobalt Strike give you Grief}}, date = {2021-08-05}, organization = {Red Canary}, url = {https://redcanary.com/blog/grief-ransomware/}, language = {English}, urldate = {2021-09-10} } When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-12-13} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-07-28ZscalerBrett Stone-Gross
@online{stonegross:20210728:doppelpaymer:5deeffe, author = {Brett Stone-Gross}, title = {{DoppelPaymer Continues to Cause Grief Through Rebranding}}, date = {2021-07-28}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding}, language = {English}, urldate = {2021-08-02} } DoppelPaymer Continues to Cause Grief Through Rebranding
DoppelPaymer
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-04-25Vulnerability.ch BlogCorsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-04-23Twitter (@vikas891)Vikas Singh
@online{singh:20210423:doppel:1bfd6da, author = {Vikas Singh}, title = {{Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals}}, date = {2021-04-23}, organization = {Twitter (@vikas891)}, url = {https://twitter.com/vikas891/status/1385306823662587905}, language = {English}, urldate = {2021-05-25} } Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals
Cobalt Strike DoppelPaymer
2021-04-22Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210422:twwet:62355c6, author = {Peter Mackenzie}, title = {{Twwet On TTPs seen in IR used by DOPPEL SPIDER}}, date = {2021-04-22}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1385103712918642688}, language = {English}, urldate = {2021-05-25} } Twwet On TTPs seen in IR used by DOPPEL SPIDER
Cobalt Strike DoppelPaymer
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-15Medium s2wlabSojun Ryu
@online{ryu:20210215:operation:b0712b0, author = {Sojun Ryu}, title = {{Operation SyncTrek}}, date = {2021-02-15}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167}, language = {English}, urldate = {2021-09-02} } Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2021-02-04ChainanalysisChainalysis Team
@online{team:20210204:blockchain:4e63b2f, author = {Chainalysis Team}, title = {{Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains}}, date = {2021-02-04}, organization = {Chainanalysis}, url = {https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer}, language = {English}, urldate = {2021-02-06} } Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt
2021-01-05Trend MicroTrend Micro Research
@online{research:20210105:overview:1f90b7c, author = {Trend Micro Research}, title = {{An Overview of the DoppelPaymer Ransomware}}, date = {2021-01-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html}, language = {English}, urldate = {2021-01-11} } An Overview of the DoppelPaymer Ransomware
DoppelPaymer
2021SecureworksSecureWorks
@online{secureworks:2021:threat:98f1049, author = {SecureWorks}, title = {{Threat Profile: GOLD HERON}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-heron}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD HERON
DoppelPaymer Dridex Empire Downloader DOPPEL SPIDER
2020-12-10FBIFBI
@techreport{fbi:20201210:pin:8657b3e, author = {FBI}, title = {{PIN Number 20201210-001: DoppelPaymer Ransomware Attacks on Critical Infrastructure Impact Critical Services}}, date = {2020-12-10}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2020/201215-1.pdf}, language = {English}, urldate = {2020-12-19} } PIN Number 20201210-001: DoppelPaymer Ransomware Attacks on Critical Infrastructure Impact Critical Services
DoppelPaymer
2020-12-09FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201209:its:c312acc, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}}, date = {2020-12-09}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf}, language = {English}, urldate = {2020-12-15} } It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil
2020-12-07Bleeping ComputerLawrence Abrams
@online{abrams:20201207:foxconn:307c147, author = {Lawrence Abrams}, title = {{Foxconn electronics giant hit by ransomware, $34 million ransom}}, date = {2020-12-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/}, language = {English}, urldate = {2020-12-08} } Foxconn electronics giant hit by ransomware, $34 million ransom
DoppelPaymer
2020-12-01Intel 471Intel 471
@online{471:20201201:steal:db9aadd, author = {Intel 471}, title = {{Steal, then strike: Access merchants are first clues to future ransomware attacks}}, date = {2020-12-01}, organization = {Intel 471}, url = {https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/}, language = {English}, urldate = {2020-12-17} } Steal, then strike: Access merchants are first clues to future ransomware attacks
DoppelPaymer
2020-11-30FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-09Bleeping ComputerLawrence Abrams
@online{abrams:20201109:laptop:fa3207d, author = {Lawrence Abrams}, title = {{Laptop maker Compal hit by ransomware, $17 million demanded}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/}, language = {English}, urldate = {2020-11-11} } Laptop maker Compal hit by ransomware, $17 million demanded
DoppelPaymer
2020-11-09Bleeping ComputerIonut Ilascu
@online{ilascu:20201109:fake:c6dd7b3, author = {Ionut Ilascu}, title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/}, language = {English}, urldate = {2020-11-11} } Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader
2020-10-23AP NewsFrank Bajak
@online{bajak:20201023:report:7bb3ff0, author = {Frank Bajak}, title = {{Report: Ransomware disables Georgia county election database}}, date = {2020-10-23}, organization = {AP News}, url = {https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c}, language = {English}, urldate = {2020-11-02} } Report: Ransomware disables Georgia county election database
DoppelPaymer
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-01KELAVictoria Kivilevich
@online{kivilevich:20201001:to:fd3aa09, author = {Victoria Kivilevich}, title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}}, date = {2020-10-01}, organization = {KELA}, url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/}, language = {English}, urldate = {2021-05-07} } To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
@online{team:20200924:double:3b3ade6, author = {CrowdStrike Intelligence Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1}, language = {English}, urldate = {2021-05-31} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-09-22Heise SecurityOlivia von Westernhagen
@online{westernhagen:20200922:uniklinik:bae1c32, author = {Olivia von Westernhagen}, title = {{Uniklinik Düsseldorf: Ransomware "DoppelPaymer" soll hinter dem Angriff stecken}}, date = {2020-09-22}, organization = {Heise Security}, url = {https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html}, language = {German}, urldate = {2020-09-23} } Uniklinik Düsseldorf: Ransomware "DoppelPaymer" soll hinter dem Angriff stecken
DoppelPaymer
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-07-15MandiantNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot}, language = {English}, urldate = {2022-07-28} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-06-03ZDNetCatalin Cimpanu
@online{cimpanu:20200603:ransomware:116ecb8, author = {Catalin Cimpanu}, title = {{Ransomware gang says it breached one of NASA's IT contractors}}, date = {2020-06-03}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/}, language = {English}, urldate = {2020-06-03} } Ransomware gang says it breached one of NASA's IT contractors
DoppelPaymer
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03Bleeping ComputerLawrence Abrams
@online{abrams:20200303:ransomware:8be6fa7, author = {Lawrence Abrams}, title = {{Ransomware Attackers Use Your Cloud Backups Against You}}, date = {2020-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/}, language = {English}, urldate = {2020-03-04} } Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze
2020-03-02TechCrunchZack Whittaker, Kirsten Korosec
@online{whittaker:20200302:visser:7a6d06b, author = {Zack Whittaker and Kirsten Korosec}, title = {{Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach}}, date = {2020-03-02}, organization = {TechCrunch}, url = {https://techcrunch.com/2020/03/01/visser-breach/}, language = {English}, urldate = {2020-03-09} } Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach
DoppelPaymer
2020-02-25Bleeping ComputerLawrence Abrams
@online{abrams:20200225:doppelpaymer:9ca20ab, author = {Lawrence Abrams}, title = {{DoppelPaymer Ransomware Launches Site to Post Victim's Data}}, date = {2020-02-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/}, language = {English}, urldate = {2020-02-26} } DoppelPaymer Ransomware Launches Site to Post Victim's Data
DoppelPaymer FriedEx
2020SecureworksSecureWorks
@online{secureworks:2020:gold:b12ae49, author = {SecureWorks}, title = {{GOLD HERON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-heron}, language = {English}, urldate = {2020-05-23} } GOLD HERON
DoppelPaymer Dridex Empire Downloader
2019-07-12CrowdStrikeBrett Stone-Gross, Sergei Frankoff, Bex Hartley
@online{stonegross:20190712:bitpaymer:113a037, author = {Brett Stone-Gross and Sergei Frankoff and Bex Hartley}, title = {{BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0}}, date = {2019-07-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/}, language = {English}, urldate = {2020-04-25} } BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelPaymer Dridex FriedEx
Yara Rules
[TLP:WHITE] win_doppelpaymer_auto (20230715 | Detects win.doppelpaymer.)
rule win_doppelpaymer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.doppelpaymer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 80790264 751d 80790561 7517 }
            // n = 4, score = 700
            //   80790264             | cmp                 byte ptr [ecx + 2], 0x64
            //   751d                 | jne                 0x1f
            //   80790561             | cmp                 byte ptr [ecx + 5], 0x61
            //   7517                 | jne                 0x19

        $sequence_1 = { 80790600 7523 80790264 751d }
            // n = 4, score = 700
            //   80790600             | cmp                 byte ptr [ecx + 6], 0
            //   7523                 | jne                 0x25
            //   80790264             | cmp                 byte ptr [ecx + 2], 0x64
            //   751d                 | jne                 0x1f

        $sequence_2 = { e8???????? 8b08 e8???????? 3db6389096 }
            // n = 4, score = 700
            //   e8????????           |                     
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   e8????????           |                     
            //   3db6389096           | cmp                 eax, 0x969038b6

        $sequence_3 = { 80790561 7517 80790361 7511 80790474 750b }
            // n = 6, score = 700
            //   80790561             | cmp                 byte ptr [ecx + 5], 0x61
            //   7517                 | jne                 0x19
            //   80790361             | cmp                 byte ptr [ecx + 3], 0x61
            //   7511                 | jne                 0x13
            //   80790474             | cmp                 byte ptr [ecx + 4], 0x74
            //   750b                 | jne                 0xd

        $sequence_4 = { 83ec28 6800002002 6a00 6a01 }
            // n = 4, score = 700
            //   83ec28               | sub                 esp, 0x28
            //   6800002002           | push                0x2200000
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_5 = { baffffff7f 43 e8???????? 3bd8 }
            // n = 4, score = 700
            //   baffffff7f           | mov                 edx, 0x7fffffff
            //   43                   | inc                 ebx
            //   e8????????           |                     
            //   3bd8                 | cmp                 ebx, eax

        $sequence_6 = { 8d4c2414 e8???????? 8944243c c7042400000000 }
            // n = 4, score = 600
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   e8????????           |                     
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax
            //   c7042400000000       | mov                 dword ptr [esp], 0

        $sequence_7 = { 8d4c2414 e8???????? 84db 7551 8d0c24 }
            // n = 5, score = 600
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   e8????????           |                     
            //   84db                 | test                bl, bl
            //   7551                 | jne                 0x53
            //   8d0c24               | lea                 ecx, [esp]

        $sequence_8 = { 8b45dc 8b4854 8b55e8 891424 8b75ec 89742404 894c2408 }
            // n = 7, score = 100
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   8b4854               | mov                 ecx, dword ptr [eax + 0x54]
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   891424               | mov                 dword ptr [esp], edx
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   894c2408             | mov                 dword ptr [esp + 8], ecx

        $sequence_9 = { 81c7f8034681 8b5824 89855cffffff 89d8 c1e81e 83e001 }
            // n = 6, score = 100
            //   81c7f8034681         | add                 edi, 0x814603f8
            //   8b5824               | mov                 ebx, dword ptr [eax + 0x24]
            //   89855cffffff         | mov                 dword ptr [ebp - 0xa4], eax
            //   89d8                 | mov                 eax, ebx
            //   c1e81e               | shr                 eax, 0x1e
            //   83e001               | and                 eax, 1

        $sequence_10 = { 50 c745fc53284e72 8b45fc 3552284e72 83c404 5d }
            // n = 6, score = 100
            //   50                   | push                eax
            //   c745fc53284e72       | mov                 dword ptr [ebp - 4], 0x724e2853
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   3552284e72           | xor                 eax, 0x724e2852
            //   83c404               | add                 esp, 4
            //   5d                   | pop                 ebp

        $sequence_11 = { c745ec25155e0b 8b713c 6689f7 662b55f2 }
            // n = 4, score = 100
            //   c745ec25155e0b       | mov                 dword ptr [ebp - 0x14], 0xb5e1525
            //   8b713c               | mov                 esi, dword ptr [ecx + 0x3c]
            //   6689f7               | mov                 di, si
            //   662b55f2             | sub                 dx, word ptr [ebp - 0xe]

        $sequence_12 = { c20400 3ad1 740c 80fa3f 7407 8bf7 8bc3 }
            // n = 7, score = 100
            //   c20400               | ret                 4
            //   3ad1                 | cmp                 dl, cl
            //   740c                 | je                  0xe
            //   80fa3f               | cmp                 dl, 0x3f
            //   7407                 | je                  9
            //   8bf7                 | mov                 esi, edi
            //   8bc3                 | mov                 eax, ebx

        $sequence_13 = { 83c418 5e 5d c3 8b45e8 8b4dec 8a55e7 }
            // n = 7, score = 100
            //   83c418               | add                 esp, 0x18
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8a55e7               | mov                 dl, byte ptr [ebp - 0x19]

        $sequence_14 = { 31c0 b958000000 8b559c 8b75b0 035604 8b7e50 }
            // n = 6, score = 100
            //   31c0                 | xor                 eax, eax
            //   b958000000           | mov                 ecx, 0x58
            //   8b559c               | mov                 edx, dword ptr [ebp - 0x64]
            //   8b75b0               | mov                 esi, dword ptr [ebp - 0x50]
            //   035604               | add                 edx, dword ptr [esi + 4]
            //   8b7e50               | mov                 edi, dword ptr [esi + 0x50]

        $sequence_15 = { f6c601 8b4dd4 8975cc 897dc8 895dc4 894dc0 0f85bc000000 }
            // n = 7, score = 100
            //   f6c601               | test                dh, 1
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   8975cc               | mov                 dword ptr [ebp - 0x34], esi
            //   897dc8               | mov                 dword ptr [ebp - 0x38], edi
            //   895dc4               | mov                 dword ptr [ebp - 0x3c], ebx
            //   894dc0               | mov                 dword ptr [ebp - 0x40], ecx
            //   0f85bc000000         | jne                 0xc2

        $sequence_16 = { c1eb1d 898554ffffff 8b45f0 3508fcb97e 21fb }
            // n = 5, score = 100
            //   c1eb1d               | shr                 ebx, 0x1d
            //   898554ffffff         | mov                 dword ptr [ebp - 0xac], eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   3508fcb97e           | xor                 eax, 0x7eb9fc08
            //   21fb                 | and                 ebx, edi

        $sequence_17 = { c20400 53 6861c1a23d 689e81b24d }
            // n = 4, score = 100
            //   c20400               | ret                 4
            //   53                   | push                ebx
            //   6861c1a23d           | push                0x3da2c161
            //   689e81b24d           | push                0x4db2819e

    condition:
        7 of them and filesize < 7266304
}
[TLP:WHITE] win_doppelpaymer_w0   (20200304 | DoppelPaymer Payload)
/*
# Copyright (C) 2019 Kevin O'Reilly (kevoreilly@gmail.com)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

rule win_doppelpaymer_w0 {
    meta:
        author = "kevoreilly"
        description = "DoppelPaymer Payload"
        source = "https://github.com/ctxis/CAPE/blob/9580330546c9cc084c1cef70045ff3cc2db37af8/data/yara/CAPE/DoppelPaymer.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
        malpedia_version = "20200304"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $getproc32 = {81 FB ?? ?? ?? ?? 74 2D 8B CB E8 ?? ?? ?? ?? 85 C0 74 0C 8B C8 8B D7 E8 ?? ?? ?? ?? 5B 5F C3}
        $cmd_string = "Setup run\n" wide
    condition:
        uint16(0) == 0x5A4D and all of them
}
Download all Yara Rules