As per the latest claim, the DoppelPaymer ransomware group has rebranded its ransomware as Grief aka Pay. In early May, researchers noted that the group’s malicious activities stopped but its leak site was active.

The rebranding tale

The first sample of the newly rebranded Grief ransomware was compiled on May 17. The attackers tried to make Grief appear as a new RaaS, however, there are a large number of similarities to DoppelPaymer that clearly indicate a connection between the two malware.
  • The first sample of rebranded ransomware has the ransom note containing a link directing at the DoppelPaymer ransom portal.
  • Both the ransomware use similar code with the same encryption algorithms (2048-bit RSA/256-bit AES), entry point offset calculation, and import hashing.
  • Another similarity was the inclusion of the EU General Data Protection Regulation (GDPR) as an alert that reads non-paying victims will face legal fines due to the breach.

Additional insights

The group has reportedly made minor code and cosmetic changes.
  • Unlike DopplyPaymer, Grief malware samples have the ProcessHacker binaries removed. But, it uses the same code to decrypt data from binary’s .sdata section.
  • Grief's string encryption algorithm is the same as DoppelPaymer, i.e. 2048-bit RSA and 256-bit AES, except the RC4 key length that was increased to 48 bytes from 40 bytes.
  • Grief uses Monero, while DopplePaymer demands Bitcoin.


On the basis of similarities, researchers have concluded that the newly rebranded ransomware is rebranding DoppelPaymer. The new effort by DoppelPaymer appears to be more about staying low profile than going sophisticated in nature.

Cyware Publisher