DoppelPaymer is a type of malicious software that infiltrates an endpoint through a link or download file, encrypts important files on the computer, and then spreads to other endpoints in the network. Attackers then send a message to the encrypted computers with instructions on how to pay the ransom amount—usually in the Bitcoin cryptocurrency—in order to restore the files. In DopplePaymer’s case, ransom demands for file decryption range anywhere from USD 25,000 to USD 1.2 million.
Additionally, in February 2020, the malicious actors behind DoppelPaymer launched a data leak site, threatening victims with the publication of their stolen files on the site as part of the ransomware’s extortion scheme. DoppelPaymer ransomware is among the most active threats right now, and companies should be aware of its risks and prepare for an attack by ensuring they have a clear incident response plan in place.
DoppelPaymer’s primary targets are organizations in the healthcare, emergency services, and education industries. The ransomware was involved in a number of high profile attacks in 2020 and 2021, targeting community colleges, police, emergency services in the US, a German hospital, and Kia Motors, amongst others.
The Link Between DopplePaymer and BitPaymer
DoppelPaymer ransomware was first discovered in April 2019, and it is believed to be based on the BitPaymer ransomware, which first appeared in 2017. Since then, a link between the two ransomware variants has been established due to similarities in their code, ransom notes, and payment portals.
However, there are three key differences between DoppelPaymer and BitPaymer. For one, DoppelPaymer uses 2048-bit RSA + 256-bit AES for encryption, while BitPaymer uses 4096-bit RSA + 256-bit AES, with older versions using 1024-bit RSA + 128-bit RC4. DoppelPaymer also improves upon BitPaymer’s rate of encryption by using threaded file encryption, which allows for the encryption of entire endpoints within seconds.
The third key difference between the two viruses is that DoppelPaymer requires a specific command-line parameter in order to execute its malicious routines. This technique is possibly used by the attackers to avoid detection via sandbox analysis as well as to prevent security researchers from studying the samples.
Who is Behind DoppelPaymer?
DoppelPaymer has been attributed to the threat group known as Indrik Spider. But, who is Indrik Spider?
Indrik Spider was formed in 2014 by former affiliates of the GameOver Zeus criminal network. The group soon developed their own custom malware, known as Dridex. Whilst early versions of Dridex were primitive, over time, the malware became increasingly professional and sophisticated. Between 2015 and 2016, Dridex was one of the most prevalent malware families, primarily being used to conduct wire fraud. With the arrest of a member of the group came the setback of Indrik Spider’s operations.
In 2017, the group reappeared on the cyber crime landscape rebranded as Grief Group, in an effort to appear like a separate actor. Grief Group conducted smaller Dridex distribution campaigns, introducing BitPaymer ransomware—DoppelPaymer’s antecedent—and focused on leveraging access within a victim organization to demand high ransom payments. In 2019, DoppelPaymer appeared as a highly dangerous evolution of BitPaymer, targeting organizations worldwide. A famous case was the attack on Kia Motors in February 2021, where the ransom request amounted to USD 20 million.
How does DoppelPaymer Work?
DoppelPaymer uses a fairly sophisticated routine to gain access into a target network and conduct its activities. A typical attack starts with network infiltration via malicious spam emails containing spear phishing links or attachments. Such emails are especially designed to lure unsuspecting users into executing malicious code that is usually disguised as a genuine-looking document.
The code then downloads the Emotet Trojan into the victim’s system. The Trojan is specialized in evading detection from common antivirus programs. Emotet also communicates with its command-and-control (C&C) server to install various DoppelPaymer modules as well as to download and execute other tools, including PowerShell Empire, Cobalt Strike, Mimikatx, and PSExec. Each of these tools are used for specific activities, such as stealing credentials, moving laterally inside the network, and executing commands for disabling security software.
The malicious actors do not immediately deploy the ransomware upon initial access. Instead, they try to move laterally within the affected system’s network through Dridex, in search of high-value targets to steal critical information from. Once such a target is found, Dridex executes its final payload, DoppelPaymer. DoppelPaymer encrypts files found in the network as well as fixed and removable drives in the affected system.
As a final step, DoppelPaymer changes user passwords and forces a system restart into safe mode to prevent user entry. When a user tries to start an infected machine, DoppelPaymer’s ransom note appears on screen. The note warns users not to reset or shut down the system, as well as not to delete, rename, or move the encrypted files. The note also contains a threat that sensitive data will be shared with the public if they do not pay the ransom demanded from them.
How to prevent a DoppelPaymer attack?
Use this checklist to prevent a DoppelPaymer ransomware attack and prepare for a breach in order to be resilient to its impact:
- Use an EDR Service
- Prepare an Incident Response Plan and Team
- Purchase a Cyber Insurance Policy
ACTIVE BREACH RESPONSE
- Disconnect or Shut Down Computing Devices
- Contact a Trusted IR Team
- Document All Significant Events and Actions
- Deploy EDR Services
- Regularly Patch and Update
- Ensure Effective Backups Exist
- Tighten Security Configurations
- Have a Plan and Team in Place for Future Breaches
- Ongoing Cyber Awareness Training for Employees
- Insure Against Future Cyber Losses
The DoppelPaymer ransomware strain is a relatively new and high-risk cyber threat. Being an evolved BitPaymer, it is able to encrypt entire networks within minutes from penetrating an endpoint. With large ransom demands and widespread targets, organizations in the APAC region should be on guard.
The best way to prepare for a ransomware attack is to ensure that you have a clear incident response plan in place. Falling victim to ransomware can be a stressful and emotional time, and an experienced incident response (IR) company such as Blackpanda provides invaluable help in containing the attack, eradicating the malware, and restoring business as usual, all whilst managing PR, negotiating with the attackers, and ensuring safety and legality throughout.