What Is DoppelPaymer Ransomware? The Software That Is Wreaking Havoc

Ever wonder how cybercriminals make money after gaining access to a system or data? One way is through ransomware, a software that denies a user access to a system or data until a ransom is paid. While there are many types of ransomware, new varieties have emerged within the past few years, one of which is the DoppelPaymer ransomware.

If you’re wondering what exactly is DopplePaymer ransomware this post will break down everything you need to know about this malicious software. We will look at the tactics it uses to gain control of a system along with a few techniques for DoppePaymer removal and protection.

What Is DoppelPaymer Ransomware?

So, what is DoppelPaymer ransomware? Discovered in April 2019, DoppelPaymer ransomware is a type of malware belonging to the Dridex family of malware. It’s distributed by a cybercrime group called Indrik Spider, which has been in operation since 2014. According to recent speculation by security researchers, the DoppelPaymer group has rebranded themselves as PayorGrief, or Grief for short.

It’s believed that DoppelPaymer is the successor of an earlier type of ransomware called BitPaymer because of their similar code, ransom messages, and payment portals. That said, there are a few differences between the softwares, a major one being that different DoppelPaymer samples require different command-line parameters to execute their code. This is likely a method to avoid detection and analysis by security researchers and sandbox testing.

Over 60 organizations—mainly in healthcare, emergency services, and education industries—have been compromised to date. According to the FBI, DoppelPaymer attacks escalated in late 2020, with a hospital in Germany, a U.S. medical center, a community college, and an E911 center among its targets.

What Does DoppelPaymer Ransomware Do?

Like other forms of ransomware, DoppelPaymer seizes control of a system or data with the goal of extorting money from its victims. DoppelPaymer ransomware is typically delivered through phishing or spam emails—and within the emails are attachments or links containing malicious code. Once the code is executed, the malware is downloaded onto the system where it quickly wreaks havoc.

By locking users out of a system and gaining exclusive access to sensitive files, DoppelPaymer hackers gain leverage over their victims. They use this leverage to their advantage, demanding pricey ransoms ranging anywhere from $25,000 to $1.2 million for the safe return of the files. On some occasions, DoppelPaymer hackers have threatened to publish stolen files on data leak websites unless the victims pay their ransoms.

Generally, a DoppelPaymer ransomware attack follows these steps:

1. Hackers embed malicious code in a file or link and insert it in an email or message.
2. When the victim opens the file or clicks the link, the code is executed. A strain of malware called Emotet is downloaded onto the victim’s system.
3. Emotet kickstarts other malicious software that encrypts files or drives on the network and changes passwords to lock users out of the system.
4. Once the passwords are changed, DoppelPaymer forces the system to restart in safe mode, and replaces Windows’ notice text with its ransom note.
5. Finally, DoppelPaymer runs a tool called Process Hacker, which damages the system’s defenses by terminating security, email server, backup, and database software processes.

Clearly, DoppelPaymer ransomware can cause serious damage to your system, especially if you work for an organization with sensitive data and files. Familiarizing yourself with ways to guard against a DoppelPaymer attack is key to avoiding the high price associated with them.

How Can You Protect Yourself From DoppelPaymer Ransomware?

There are a few simple precautions you can take to prevent a DoppelPaymer attack. First, avoid opening any suspicious emails or messages, as these are common attack vectors for DoppelPaymer cybercriminals. If you do open one, avoid clicking on any links or attachments at all costs.

Other best practices include updating your software and applications so their vulnerabilities don’t remain exposed to threat actors, and, of course, frequently backing up important files. If possible, store at least one backup in a different physical location than your device.

If you’ve already fallen victim to DoppelPaymer ransomware, it may be possible to regain your files through DoppelPaymer removal methods. SiteLock can help you detect, remove, and restore a website or system that’s been damaged by malware.

Interested in learning more about ransomware and how to defend against it? Read “What Is Ransomware?” on our blog.