SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doppelpaymer (Back to overview)

DoppelPaymer

Actor(s): DOPPEL SPIDER


Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt".

References
2020-09-22Heise SecurityOlivia von Westernhagen
@online{westernhagen:20200922:uniklinik:bae1c32, author = {Olivia von Westernhagen}, title = {{Uniklinik Düsseldorf: Ransomware "DoppelPaymer" soll hinter dem Angriff stecken}}, date = {2020-09-22}, organization = {Heise Security}, url = {https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html}, language = {German}, urldate = {2020-09-23} } Uniklinik Düsseldorf: Ransomware "DoppelPaymer" soll hinter dem Angriff stecken
DoppelPaymer
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Ransomware Snake Ransomware
2020-06-03ZDNetCatalin Cimpanu
@online{cimpanu:20200603:ransomware:116ecb8, author = {Catalin Cimpanu}, title = {{Ransomware gang says it breached one of NASA's IT contractors}}, date = {2020-06-03}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/}, language = {English}, urldate = {2020-06-03} } Ransomware gang says it breached one of NASA's IT contractors
DoppelPaymer
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03Bleeping ComputerLawrence Abrams
@online{abrams:20200303:ransomware:8be6fa7, author = {Lawrence Abrams}, title = {{Ransomware Attackers Use Your Cloud Backups Against You}}, date = {2020-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/}, language = {English}, urldate = {2020-03-04} } Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze
2020-03-02TechCrunchZack Whittaker, Kirsten Korosec
@online{whittaker:20200302:visser:7a6d06b, author = {Zack Whittaker and Kirsten Korosec}, title = {{Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach}}, date = {2020-03-02}, organization = {TechCrunch}, url = {https://techcrunch.com/2020/03/01/visser-breach/}, language = {English}, urldate = {2020-03-09} } Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach
DoppelPaymer
2020-02-25Bleeping ComputerLawrence Abrams
@online{abrams:20200225:doppelpaymer:9ca20ab, author = {Lawrence Abrams}, title = {{DoppelPaymer Ransomware Launches Site to Post Victim's Data}}, date = {2020-02-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/}, language = {English}, urldate = {2020-02-26} } DoppelPaymer Ransomware Launches Site to Post Victim's Data
DoppelPaymer FriedEx
2020SecureworksSecureWorks
@online{secureworks:2020:gold:b12ae49, author = {SecureWorks}, title = {{GOLD HERON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-heron}, language = {English}, urldate = {2020-05-23} } GOLD HERON
DoppelPaymer Dridex Empire Downloader
2019-07-12CrowdStrikeBrett Stone-Gross, Sergei Frankoff, Bex Hartley
@online{stonegross:20190712:bitpaymer:113a037, author = {Brett Stone-Gross and Sergei Frankoff and Bex Hartley}, title = {{BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0}}, date = {2019-07-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/}, language = {English}, urldate = {2020-04-25} } BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelPaymer Dridex FriedEx
Yara Rules
[TLP:WHITE] win_doppelpaymer_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_doppelpaymer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8bc8 8bc6 660f6ee6 99 f30f7e05???????? }
            // n = 6, score = 300
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   8bc6                 | mov                 eax, esi
            //   660f6ee6             | movd                xmm4, esi
            //   99                   | cdq                 
            //   f30f7e05????????     |                     

        $sequence_1 = { 8d4c241c e8???????? 8bc8 6a46 }
            // n = 4, score = 300
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   6a46                 | push                0x46

        $sequence_2 = { 807e0c00 7426 8b942420010000 8d9c24f8000000 8bcb }
            // n = 5, score = 300
            //   807e0c00             | cmp                 byte ptr [esi + 0xc], 0
            //   7426                 | je                  0x28
            //   8b942420010000       | mov                 edx, dword ptr [esp + 0x120]
            //   8d9c24f8000000       | lea                 ebx, [esp + 0xf8]
            //   8bcb                 | mov                 ecx, ebx

        $sequence_3 = { 8d44241c 8b16 50 ff12 8bf0 8d4c241c e8???????? }
            // n = 7, score = 300
            //   8d44241c             | lea                 eax, [esp + 0x1c]
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   50                   | push                eax
            //   ff12                 | call                dword ptr [edx]
            //   8bf0                 | mov                 esi, eax
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   e8????????           |                     

        $sequence_4 = { 894204 894208 8d8c2484020000 8901 894104 894108 }
            // n = 6, score = 300
            //   894204               | mov                 dword ptr [edx + 4], eax
            //   894208               | mov                 dword ptr [edx + 8], eax
            //   8d8c2484020000       | lea                 ecx, [esp + 0x284]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   894104               | mov                 dword ptr [ecx + 4], eax
            //   894108               | mov                 dword ptr [ecx + 8], eax

        $sequence_5 = { 6a20 e8???????? 8bd8 57 8d4c2420 }
            // n = 5, score = 300
            //   6a20                 | push                0x20
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   57                   | push                edi
            //   8d4c2420             | lea                 ecx, [esp + 0x20]

        $sequence_6 = { 8bcd e8???????? 8bd8 837c242805 0f8732010000 }
            // n = 5, score = 300
            //   8bcd                 | mov                 ecx, ebp
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   837c242805           | cmp                 dword ptr [esp + 0x28], 5
            //   0f8732010000         | ja                  0x138

        $sequence_7 = { 6a5c e8???????? 8bc8 6a6e e8???????? 8bc8 }
            // n = 6, score = 300
            //   6a5c                 | push                0x5c
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   6a6e                 | push                0x6e
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_8 = { 8945f4 894df0 8955ec 7528 8b45ec }
            // n = 5, score = 100
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   7528                 | jne                 0x2a
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]

        $sequence_9 = { ffd0 83ec08 b901000000 ba66000000 }
            // n = 4, score = 100
            //   ffd0                 | call                eax
            //   83ec08               | sub                 esp, 8
            //   b901000000           | mov                 ecx, 1
            //   ba66000000           | mov                 edx, 0x66

        $sequence_10 = { 31c9 c745f469d9900b 8b5034 8b4008 8955f0 8945ec }
            // n = 6, score = 100
            //   31c9                 | xor                 ecx, ecx
            //   c745f469d9900b       | mov                 dword ptr [ebp - 0xc], 0xb90d969
            //   8b5034               | mov                 edx, dword ptr [eax + 0x34]
            //   8b4008               | mov                 eax, dword ptr [eax + 8]
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

        $sequence_11 = { 8945ec 894de8 8955e4 897de0 741b e9???????? }
            // n = 6, score = 100
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi
            //   741b                 | je                  0x1d
            //   e9????????           |                     

        $sequence_12 = { 8b4db4 c70100000000 8945c4 e9???????? 8b45a4 8b4d9c 8b55a0 }
            // n = 7, score = 100
            //   8b4db4               | mov                 ecx, dword ptr [ebp - 0x4c]
            //   c70100000000         | mov                 dword ptr [ecx], 0
            //   8945c4               | mov                 dword ptr [ebp - 0x3c], eax
            //   e9????????           |                     
            //   8b45a4               | mov                 eax, dword ptr [ebp - 0x5c]
            //   8b4d9c               | mov                 ecx, dword ptr [ebp - 0x64]
            //   8b55a0               | mov                 edx, dword ptr [ebp - 0x60]

        $sequence_13 = { 8b3e 83ff00 8945b8 894d84 8955b4 }
            // n = 5, score = 100
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   83ff00               | cmp                 edi, 0
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   894d84               | mov                 dword ptr [ebp - 0x7c], ecx
            //   8955b4               | mov                 dword ptr [ebp - 0x4c], edx

        $sequence_14 = { 8b75b8 8b7e04 8b5db4 83c304 }
            // n = 4, score = 100
            //   8b75b8               | mov                 esi, dword ptr [ebp - 0x48]
            //   8b7e04               | mov                 edi, dword ptr [esi + 4]
            //   8b5db4               | mov                 ebx, dword ptr [ebp - 0x4c]
            //   83c304               | add                 ebx, 4

        $sequence_15 = { 8b7e10 897dc0 8b7e18 897dc4 }
            // n = 4, score = 100
            //   8b7e10               | mov                 edi, dword ptr [esi + 0x10]
            //   897dc0               | mov                 dword ptr [ebp - 0x40], edi
            //   8b7e18               | mov                 edi, dword ptr [esi + 0x18]
            //   897dc4               | mov                 dword ptr [ebp - 0x3c], edi

    condition:
        7 of them and filesize < 3301376
}
[TLP:WHITE] win_doppelpaymer_w0   (20200304 | DoppelPaymer Payload)
/*
# Copyright (C) 2019 Kevin O'Reilly (kevoreilly@gmail.com)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

rule win_doppelpaymer_w0 {
    meta:
        author = "kevoreilly"
        description = "DoppelPaymer Payload"
        source = "https://github.com/ctxis/CAPE/blob/9580330546c9cc084c1cef70045ff3cc2db37af8/data/yara/CAPE/DoppelPaymer.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
        malpedia_version = "20200304"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $getproc32 = {81 FB ?? ?? ?? ?? 74 2D 8B CB E8 ?? ?? ?? ?? 85 C0 74 0C 8B C8 8B D7 E8 ?? ?? ?? ?? 5B 5F C3}
        $cmd_string = "Setup run\n" wide
    condition:
        uint16(0) == 0x5A4D and all of them
}
Download all Yara Rules