DoppelPaymer Ransomware Detection

January 13, 2021 · 4 min read

DoppelPaymer ransomware is gaining momentum as a leading threat to critical infrastructure assets. According to the FBI warning released in December 2020, DoppelPaymer has targeted multiple organizations in healthcare, educational, governmental and other sectors. The attack routine is highly sophisticated and aggressive, allowing its operators to extort six- and seven-digit ransoms from their victims. Notably, threat actors exfiltrate data before encryption to enhance profits with supplementary extortion schemes.

DoppelPaymer Ransomware Overview

DoppelPaymer emerged in June 2019 as a part of the TA505 (EvilCorp) malicious toolset. Since then, ransomware has compromised a broad list of high-profile targets, including the state oil company in Mexico, the Ministry of Agriculture in Chile, Apex Laboratory of Farmingdale in the USA, and the prominent emergency service in Germany. The average extortion rate varies from approximately $25,000 to over $1,200,000. And the final profit might be even bigger since DoppelPaymer could not only encrypt data but also exfiltrate it from the targeted network. The stolen sensitive information is further used by TA505 actors for extortion. In 2020 the malware operators introduced a dedicated data leak website to prove the gravity of their threats. It is worth noting that actors use telephone calls to push victims to conduct the payment. This approach makes TA505 one of the first groups operating in such an intrusive manner.

So what is DoppelPaymer ransomware? According to the researchers’ analysis, DoppelPaymer is an upgraded successor of BitPaymer malware. Both strains have much in common, however, DoppelPaymer uses a different encryption scheme (2048-bit RSA + 256-bit AES) and adds a threaded file encryption approach. Also, the malware applies better evasion tactics, requiring a correct command line parameter for each sample. Finally, DoppelPaymer is armed with the ProcessHacker technique effective for services and processes termination.

Ransomware Attack Routine

According to the DoppelPaymer ransomware description, it applies a multi-stage infection scheme as well as a highly sophisticated operation routine. Particularly, the attack starts with a malicious document distributed via spear-phishing or spam. In case the victim was lured to open the attachment or follow the link, malicious code is executed on the user’s machine to download other components used for network compromise. 

The very first of these components is an infamous Emotet strain acting as a loader for Dridex. Dridex then either drops DoppelPaymer payload or downloads additional malicious content such as Mimikatz, PsExec, PowerShell Empire, and Cobalt Strike. This malicious soft serves various purposes, including credentials dumping, lateral movement, and code execution inside the targeted network. 

Remarkably, Dridex usually postpones the DoppelPaymer infection while threat actors move across the environment to search for sensitive data. Once they succeed, ransomware starts to act, encrypting the victims’ files inside the network and on the affiliated fixed and removable drives. Finally, DoppelPaymer changes user passwords, launches the system in safe mode, and displays a ransom note on the users’ screens. 

In addition to Emotet and Dridex, DoppelPaymer developers partner with Quakbot operators to expand the malicious perspectives. Threat actors use Quakbot malware similarly to Dridex: for network penetration, privilege escalation, and lateral movement across environments.

DoppelPaymer Detection Content

To detect DoppelPaymer ransomware infection and prevent the devastating consequences, you could download a fresh Sigma rule from Osman Demir, a Threat Bounty developer and active Threat Detection Marketplace library contributor:

The rule has translations to the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio.


Tactics: Impact, Defense Evasion

Techniques: Data Encrypted for Impact (T1486), File and Directory Permissions Modification (T1222)

Sign up for free to the Threat Detection Marketplace and find the most relevant SOC content for proactive attack detection. Enthusiastic to craft your own Sigma rules? Be welcome to join our Threat Bounty Program and contribute to threat hunting initiatives.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts