A Bird's-Eye View of DoppelPaymer Gang

DoppelPaymer is a ransomware that has obtained much of its code from BitPaymer, a ransomware family associated with “Indrik Spider.” DoppelPaymer ransomware is among the most active threats right now.

Top targets

DoppelPaymer is an enterprise-centric ransomware known for targeting well-known organizations around the world. In March 2020, a surge in their attacks was observed while taking advantage of coronavirus pandemic.
  • Since early 2020, the ransomware has been spreading via multiple infection vectors, such as exploiting vulnerable servers (CVE-2019-19781 affecting Citrix ADC) and unauthorized access.
  • In February 2020, the operators adopted the “public shaming” or “blackmailing” tactic, similar to Maze operators, to publicly leak data from whichever organization that denies paying up the ransom.
  • So far, they leaked data of Royal Military College of Canada, Avon, Siegel Egg Company Immobilière, Digital Management Inc., and others.

Modus operandi

  • The operators behind this ransomware first gain remote access to organizations by network penetration. 
  • Next, they take control of Active Directory environments to propagate their malware further across the organization's network. 
  • After that, it begins encryption of sensitive data and the exfiltration process.

Recent association

Some experts say that some members of the “TA505” threat group forked into a new group, and they could be behind DoppelPaymer, who now operate independently. The ransomware is also continuously evolving and being updated with new exploits, implying more variants could appear in future.

Key takeaways

The attacks by DoppelPaymer ransomware gang provide important lessons for security teams. Admins must regularly evaluate their networks for any potential threat activity using indicators of compromise or behavior analysis. By doing this, organizations can nip such attacks in the bud before they spread further into their network.