DoppelPaymer

1. Introduction

This module provides an overview of DoppelPaymer ransomware including how it spreads and the typical attacker TTPs of the group behind the Ransomware.

2. What is DoppelPaymer?

DoppelPaymer is part of a ransomware family called BitPaymer which surfaced in 2017. DoppelPaymer and BitPaymer are likely used by the same threat group considering code similarities in the malware and similarities between ransom notes and payment procedures used along with these ransomware families. This threat group is also referred to as DoppelPaymer. They encrypt the users' data and demand ransom for its decryption. To encrypt the data they use a combination of 2048-bit RSA and 256-bit AES. Typical targets of this group include organizations in healthcare, education, and emergency services.

It is difficult to analyze DoppelPaymer because each sample needs to be provided with a unique command-line argument before execution. This greatly hinders sandbox analysis and slows down manual analysis.

Process Hacker is a tool used to monitor system resources, debug software, and detect malware. However, DoppelPaymer also uses it to both stop processes and gain access to their desired targets within the victim's systems. The intention of using this tool is to prevent any interruptions during the encryption phase of the attack. Process hacker uses a driver to call an internal Microsoft kernel function for process termination.

Once files have been encrypted, DoppelPaymer leaves the victim with a ransom note that typically contains a basic overview of what they have done along with a warning not to shut the computer down or delete any of the encrypted files or ransom messages. The ransom note will also contain a link to an .onion domain. The victim can follow this link to communicate with the attacker to pay their ransom or to release their encrypted files.

The DoppelPaymer group has demanded fees between $25,000 and $1.2 million. One of their tactics has been to tell the user that the decryption fee will be smaller if they get in contact sooner. The victim's link will usually last around 7 days before it is invalid. Any victims who don't pay the ransom fee could find themselves featuring on DoppelPaymer's website, DoppelLeaks, where they post stolen data that has not been paid for release.

It appears that DoppelPaymer has been inactive since around May 2021. Their website is still live, however, it hasn't featured any updates since then. Some are led to believe that this was due to a rebranding to the threat group Grief. Researchers even found an old ransom note by the group which contained a link to DoppelPaymer's portal

3. Typical Attack Vectors

DoppelPaymer operators rely on the manipulation of their victims in order to spread infection and demand ransom. They usually send spear-phishing emails with malicious attachments, tricking recipients into thinking they are legitimate. Victims will then click on these attachments which allows malicious code execution to take place. For these malicious attachments, the DoppelPaymer group uses the Emotet malware.

Upon infection, Emotet communicates with C2 servers in order to perform installations and execute malware. The group does not start encrypting files immediately after gaining access to the network. Instead, DoppelPaymer operators will move through the network in search of high-value targets to attack.

4. Attacker TTPs

DoppelPaymer operators are known to employ various tactics, techniques, and procedures (TTPs) during exploitation. Below is an example of the typical DoppelPaymer attack kill chain.

  • DoppelPaymer attackers gain initial access by sending out spear-phishing emails that contain malicious attachments to their selected victims.

  • Once the victim opens the attachment, the code is executed and the malware is downloaded onto the system.

  • Hidden files and directories are used to execute and store malicious files from the attack — possibly to stay undetected for longer.

  • Then, user account control is bypassed so that the attackers can utilize account permissions to dig deeper and explore the network while searching for high-value targets.

  • Once these files have been chosen, DoppelPaymer operators will disable security tools in Windows Defender and obfuscate files or information by encrypting them using RC4.

  • The attackers then attempt to get a list of accounts within the victim's system. This information will help them determine which accounts exist to aid in follow-on behavior.

  • During the attack, attackers do their best to stay undetected, or at least, difficult to decipher. To do this, they use data obfuscation, which hides any C2 communications. This includes methods such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. Multi-layer encryption is also applied at this stage using AES-256-CBC encryption with zero IV.

  • The victim's files are encrypted and a ransom note is left in each directory, demanding payment.

  • On some occasions, DoppelPaymer will also perform a disk wipe on all backup systems.

5. Encryption Method

DoppelPaymer uses 2048-bit RSA and 256-bit AES to encrypt their victims' files. Once infected, the ransomware generates an AES-256-CBC key for every single file using the CryptGenKey() function. The key is then encrypted using the embedded public master key and encoded with Base64 to store it in the ransom note.

There is also a README file included in the ransom note that contains the encrypted AES key. Each encrypted file is renamed to include the .locked file extension.

6. Security Questions

  1. What tool does DoppelPaymer use to terminate services and processes on victim networks?

  2. What is the website called that DoppelPaymer uses to post stolen data on?

  3. DopelPaymer is part of which ransomware family??

  4. What attack method does DoppelPaymer use to lure their victims in?

  5. What malware type does DoppelPaymer include in their attachments?

  6. What encryption type does DoppelPaymer use to encrypt their victims files?

  7. What is the file extension that each encrypted file is renamed with?

Answers

  1. Process Hacker

  2. Doppel Leaks

  3. BitPaymer

  4. Spear phising

  5. Emotet

  6. 2048-bit RSA and 256-bit AES

  7. locked

Last updated