Doppelpaymer

Known to use a Captcha to block crawling.

Description

DoppelPaymer is a ransomware family first identified in mid-2019, derived from the BitPaymer codebase and operated by the Evil Corp cybercrime group. It is known for its double-extortion approach, encrypting victim files with AES-256 and securing keys with RSA-2048, while also stealing sensitive data for public release if payment is not made. DoppelPaymer primarily targets large organizations, including those in healthcare, government, and manufacturing, with high ransom demands often in the millions of U.S. dollars. Infection vectors include phishing emails carrying Dridex or other loaders, exploitation of remote access services, and credential theft. Encrypted files typically retain their original name with a new extension, and ransom notes direct victims to Tor-based portals for negotiation. The group has been linked to attacks on institutions such as the City of Torrance, the State of Delaware, and hospital systems in Germany and the United States.

External Analysis
https://aithority.com/security/doppelpaymer-ransomware-attack-sinks-a-global-motor-companys-20-million
https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding
http://www.secureworks.com/research/threat-profiles/gold-heron
https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c
https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf
https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/
https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/
https://killingthebear.jorgetesta.tech/actors/evil-corp
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
https://medium.com/s2wlab/operation-synctrek-e5013df8d167
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://redcanary.com/blog/grief-ransomware/
https://sites.temple.edu/care/ci-rw-attacks/
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://techcrunch.com/2020/03/01/visser-breach/
https://twitter.com/AltShiftPrtScn/status/1385103712918642688
https://twitter.com/BrettCallow/status/1453557686830727177?s=20
https://twitter.com/vikas891/status/1385306823662587905
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/
https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/
https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/
https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/
https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/
https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/
https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/
https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf
https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/
https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html
https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://www.ic3.gov/Media/News/2020/201215-1.pdf
https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.secureworks.com/research/threat-profiles/gold-heron
https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf
https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html
https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding
http://www.secureworks.com/research/threat-profiles/gold-drake
https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp
https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec
https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
https://killingthebear.jorgetesta.tech/actors/evil-corp
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/
https://sites.temple.edu/care/ci-rw-attacks/
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/
https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/
https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/
https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.secureworks.com/research/threat-profiles/gold-drake
https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf
https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
Urls
Screen
http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion/
File servers
Screen
Chat servers
Screen
http://qkbbaxiuqqcqb5nox4np4qjcniy2q6m7yeluvj7n5i5dn7pgpcwxwfid.onion/
Admin servers
Screen