SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doppelpaymer (Back to overview)

DoppelPaymer

Actor(s): DOPPEL SPIDER


Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt".

References
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti Ransomware DoppelPaymer Egregor LockBit Maze REvil Snake Ransomware
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware
2020-11-09Bleeping ComputerIonut Ilascu
@online{ilascu:20201109:fake:c6dd7b3, author = {Ionut Ilascu}, title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/}, language = {English}, urldate = {2020-11-11} } Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader
2020-11-09Bleeping ComputerLawrence Abrams
@online{abrams:20201109:laptop:fa3207d, author = {Lawrence Abrams}, title = {{Laptop maker Compal hit by ransomware, $17 million demanded}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/}, language = {English}, urldate = {2020-11-11} } Laptop maker Compal hit by ransomware, $17 million demanded
DoppelPaymer
2020-10-23AP NewsFrank Bajak
@online{bajak:20201023:report:7bb3ff0, author = {Frank Bajak}, title = {{Report: Ransomware disables Georgia county election database}}, date = {2020-10-23}, organization = {AP News}, url = {https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c}, language = {English}, urldate = {2020-11-02} } Report: Ransomware disables Georgia county election database
DoppelPaymer
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker
2020-09-22Heise SecurityOlivia von Westernhagen
@online{westernhagen:20200922:uniklinik:bae1c32, author = {Olivia von Westernhagen}, title = {{Uniklinik Düsseldorf: Ransomware "DoppelPaymer" soll hinter dem Angriff stecken}}, date = {2020-09-22}, organization = {Heise Security}, url = {https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html}, language = {German}, urldate = {2020-09-23} } Uniklinik Düsseldorf: Ransomware "DoppelPaymer" soll hinter dem Angriff stecken
DoppelPaymer
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Ransomware Snake Ransomware
2020-06-03ZDNetCatalin Cimpanu
@online{cimpanu:20200603:ransomware:116ecb8, author = {Catalin Cimpanu}, title = {{Ransomware gang says it breached one of NASA's IT contractors}}, date = {2020-06-03}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/}, language = {English}, urldate = {2020-06-03} } Ransomware gang says it breached one of NASA's IT contractors
DoppelPaymer
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03Bleeping ComputerLawrence Abrams
@online{abrams:20200303:ransomware:8be6fa7, author = {Lawrence Abrams}, title = {{Ransomware Attackers Use Your Cloud Backups Against You}}, date = {2020-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/}, language = {English}, urldate = {2020-03-04} } Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze
2020-03-02TechCrunchZack Whittaker, Kirsten Korosec
@online{whittaker:20200302:visser:7a6d06b, author = {Zack Whittaker and Kirsten Korosec}, title = {{Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach}}, date = {2020-03-02}, organization = {TechCrunch}, url = {https://techcrunch.com/2020/03/01/visser-breach/}, language = {English}, urldate = {2020-03-09} } Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach
DoppelPaymer
2020-02-25Bleeping ComputerLawrence Abrams
@online{abrams:20200225:doppelpaymer:9ca20ab, author = {Lawrence Abrams}, title = {{DoppelPaymer Ransomware Launches Site to Post Victim's Data}}, date = {2020-02-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/}, language = {English}, urldate = {2020-02-26} } DoppelPaymer Ransomware Launches Site to Post Victim's Data
DoppelPaymer FriedEx
2020SecureworksSecureWorks
@online{secureworks:2020:gold:b12ae49, author = {SecureWorks}, title = {{GOLD HERON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-heron}, language = {English}, urldate = {2020-05-23} } GOLD HERON
DoppelPaymer Dridex Empire Downloader
2019-07-12CrowdStrikeBrett Stone-Gross, Sergei Frankoff, Bex Hartley
@online{stonegross:20190712:bitpaymer:113a037, author = {Brett Stone-Gross and Sergei Frankoff and Bex Hartley}, title = {{BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0}}, date = {2019-07-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/}, language = {English}, urldate = {2020-04-25} } BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelPaymer Dridex FriedEx
Yara Rules
[TLP:WHITE] win_doppelpaymer_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_doppelpaymer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 99 660f62ec 660fd66c2424 660f6ef2 660f62fe 660fd67c242c }
            // n = 6, score = 300
            //   99                   | cdq                 
            //   660f62ec             | punpckldq           xmm5, xmm4
            //   660fd66c2424         | movq                qword ptr [esp + 0x24], xmm5
            //   660f6ef2             | movd                xmm6, edx
            //   660f62fe             | punpckldq           xmm7, xmm6
            //   660fd67c242c         | movq                qword ptr [esp + 0x2c], xmm7

        $sequence_1 = { 99 52 50 8b4c2428 8b7104 56 8b29 }
            // n = 7, score = 300
            //   99                   | cdq                 
            //   52                   | push                edx
            //   50                   | push                eax
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]
            //   8b7104               | mov                 esi, dword ptr [ecx + 4]
            //   56                   | push                esi
            //   8b29                 | mov                 ebp, dword ptr [ecx]

        $sequence_2 = { e8???????? 6a00 8d4c244c e8???????? 8d4c245c e8???????? }
            // n = 6, score = 300
            //   e8????????           |                     
            //   6a00                 | push                0
            //   8d4c244c             | lea                 ecx, [esp + 0x4c]
            //   e8????????           |                     
            //   8d4c245c             | lea                 ecx, [esp + 0x5c]
            //   e8????????           |                     

        $sequence_3 = { e8???????? ff742428 ff30 8d4c2430 e8???????? 8d8c249c000000 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   ff742428             | push                dword ptr [esp + 0x28]
            //   ff30                 | push                dword ptr [eax]
            //   8d4c2430             | lea                 ecx, [esp + 0x30]
            //   e8????????           |                     
            //   8d8c249c000000       | lea                 ecx, [esp + 0x9c]

        $sequence_4 = { ff742428 8bce 6a00 e8???????? 8bf0 }
            // n = 5, score = 300
            //   ff742428             | push                dword ptr [esp + 0x28]
            //   8bce                 | mov                 ecx, esi
            //   6a00                 | push                0
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_5 = { 6a00 8bea 8d4c2404 e8???????? 6a00 8d4c240c e8???????? }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   8bea                 | mov                 ebp, edx
            //   8d4c2404             | lea                 ecx, [esp + 4]
            //   e8????????           |                     
            //   6a00                 | push                0
            //   8d4c240c             | lea                 ecx, [esp + 0xc]
            //   e8????????           |                     

        $sequence_6 = { 8d4c2438 e8???????? 898424a0000000 8d4c2434 e8???????? 50 ffb424a4000000 }
            // n = 7, score = 300
            //   8d4c2438             | lea                 ecx, [esp + 0x38]
            //   e8????????           |                     
            //   898424a0000000       | mov                 dword ptr [esp + 0xa0], eax
            //   8d4c2434             | lea                 ecx, [esp + 0x34]
            //   e8????????           |                     
            //   50                   | push                eax
            //   ffb424a4000000       | push                dword ptr [esp + 0xa4]

        $sequence_7 = { 8d8c24f4010000 e8???????? 8d8424fc010000 ff37 }
            // n = 4, score = 300
            //   8d8c24f4010000       | lea                 ecx, [esp + 0x1f4]
            //   e8????????           |                     
            //   8d8424fc010000       | lea                 eax, [esp + 0x1fc]
            //   ff37                 | push                dword ptr [edi]

        $sequence_8 = { 8b4508 31c9 c745f469d9900b 8b5034 }
            // n = 4, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   31c9                 | xor                 ecx, ecx
            //   c745f469d9900b       | mov                 dword ptr [ebp - 0xc], 0xb90d969
            //   8b5034               | mov                 edx, dword ptr [eax + 0x34]

        $sequence_9 = { 8b483c 6689ce 6683fe00 89c2 8945e4 894de0 }
            // n = 6, score = 100
            //   8b483c               | mov                 ecx, dword ptr [eax + 0x3c]
            //   6689ce               | mov                 si, cx
            //   6683fe00             | cmp                 si, 0
            //   89c2                 | mov                 edx, eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx

        $sequence_10 = { 8b7e38 897dc8 8955cc 893424 c744240400000000 }
            // n = 5, score = 100
            //   8b7e38               | mov                 edi, dword ptr [esi + 0x38]
            //   897dc8               | mov                 dword ptr [ebp - 0x38], edi
            //   8955cc               | mov                 dword ptr [ebp - 0x34], edx
            //   893424               | mov                 dword ptr [esp], esi
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0

        $sequence_11 = { 8945ec 894de8 eb0a 8b45e4 83c414 5e 5f }
            // n = 7, score = 100
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   eb0a                 | jmp                 0xc
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   83c414               | add                 esp, 0x14
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_12 = { c787c800000000000000 8945b8 89f0 83c44c 5e 5f }
            // n = 6, score = 100
            //   c787c800000000000000     | mov    dword ptr [edi + 0xc8], 0
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   89f0                 | mov                 eax, esi
            //   83c44c               | add                 esp, 0x4c
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_13 = { 83c118 01d1 894dd8 8945d4 eb39 8b45e0 89c1 }
            // n = 7, score = 100
            //   83c118               | add                 ecx, 0x18
            //   01d1                 | add                 ecx, edx
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   eb39                 | jmp                 0x3b
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   89c1                 | mov                 ecx, eax

        $sequence_14 = { 8b7c0204 8b5db4 01de 8b4db0 11cf 893402 897c0204 }
            // n = 7, score = 100
            //   8b7c0204             | mov                 edi, dword ptr [edx + eax + 4]
            //   8b5db4               | mov                 ebx, dword ptr [ebp - 0x4c]
            //   01de                 | add                 esi, ebx
            //   8b4db0               | mov                 ecx, dword ptr [ebp - 0x50]
            //   11cf                 | adc                 edi, ecx
            //   893402               | mov                 dword ptr [edx + eax], esi
            //   897c0204             | mov                 dword ptr [edx + eax + 4], edi

        $sequence_15 = { 5d c3 8b45e8 890424 e8???????? 31c0 }
            // n = 6, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   31c0                 | xor                 eax, eax

    condition:
        7 of them and filesize < 3301376
}
[TLP:WHITE] win_doppelpaymer_w0   (20200304 | DoppelPaymer Payload)
/*
# Copyright (C) 2019 Kevin O'Reilly (kevoreilly@gmail.com)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

rule win_doppelpaymer_w0 {
    meta:
        author = "kevoreilly"
        description = "DoppelPaymer Payload"
        source = "https://github.com/ctxis/CAPE/blob/9580330546c9cc084c1cef70045ff3cc2db37af8/data/yara/CAPE/DoppelPaymer.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer"
        malpedia_version = "20200304"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $getproc32 = {81 FB ?? ?? ?? ?? 74 2D 8B CB E8 ?? ?? ?? ?? 85 C0 74 0C 8B C8 8B D7 E8 ?? ?? ?? ?? 5B 5F C3}
        $cmd_string = "Setup run\n" wide
    condition:
        uint16(0) == 0x5A4D and all of them
}
Download all Yara Rules