New DoppelPaymer ransomware observed to be similar to BitPaymer

• The ransomware was discovered from recent campaigns that were targeted against government agencies.
• It was found that most of the code for DoppelPaymer was similar to BitPaymer ransomware.

A ransomware variant called DoppelPaymer has been uncovered by security researchers recently. This new variant was discovered by experts from CrowdStrike. Reportedly, it shares most of the code with another well-known ransomware, BitPaymer. It was found that the variant was used in various campaigns targeted against government agencies in June 2019. This includes attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture.

Key highlights

• CrowdStrike identified eight malware builds of DoppelPaymer, as well as three victims who received different ransom demands.
• On top of having code similarities, even the ransom notes of DoppelPaymer were similar to BitPaymer ransomware. Both the notes mentioned the same payment portal. The only changes were the method of payment and a different extension for encrypted files.
• DoppelPaymer also came with a new technique wherein it would terminate processes and services that interfered file encryption. Here, it leveraged a legitimate software utility called ProcessHacker.
• A Dridex sample was also associated with DoppelPaymer since a module of the sample had the same encryption, compression, and data format as this new variant.

Worth noting

CrowdStrike speculates that this new variant might be the work of an offshoot of INDRIK SPIDER group. INDRIK SPIDER is the threat actor group behind the creation of Dridex and BitPaymer.

“There are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of INDRIK SPIDER have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation,” said the firm in a blog.