DoppelPaymer is a ransomware gang that extracts data from victims’ systems and then encrypts those same systems. Named after the strain of ransomware that the gang deploys, DoppelPaymer has demonstrated ruthlessness in its choice of victims with no industry safe from its targeting. This article analyzes DoppelPaymer’s operations, ransomware strain, and some of its high-profile attacks. 

DoppelPaymer: Operations and Ransomware Analysis

DoppelPaymer first emerged in 2019, and security researchers immediately noted that the ransomware strain appeared to build on BitPaymer, which began targeting healthcare organizations in 2017. Some security analysts link DoppelPaymer back to the Russian threat-actor TA505.

In terms of how the gang operates, threat actors favor malicious email attachments as the initial vector for infiltrating a victim’s network. Typically, these are highly targeted spear-phishing emails that make victims more likely to open attachments under the guise that the emails come from a trusted source.

When someone at a target organization opens the malicious email attachment, the Dridex trojan downloads onto their system. Leveraging Dridex and opening affected systems to incoming connections, the threat actors then download other tools, including a PowerShell exploitation agent, a credential dumping tool, and threat emulation software.

Leveraging stolen credentials, lateral movement, and evasive detection techniques, the DoppelPaymer ransomware eventually executes on systems. The gang uses a tool known as ProcessHacker to terminate different services on endpoint devices. Multiple systems are locked simultaneously, and victims receive a ransom note with payment instructions linking to a dark web payment portal.

High-Profile DoppelPaymer Attacks

Kia Motors America: February 2021

 The United States division of South Korean multinational automobile manufacturer Kia became a high-profile DoppelPaymer victim in February 2021. This ransomware attack impacted payment services, internal dealership systems, and a mobile app used by the company.

As is par for the course in DoppelPaymer attacks, this was a double extortion incident. The threat actors demanded $20 million in Bitcoin if Kia Motors America wanted to avoid having stolen data leaked online. Despite BleepingComputer getting access to the ransom note used in the attack, Kia denied that it had suffered from any ransomware incident. A statement made to BleepingComputer referenced an extended systems outage.

 Foxconn: December 2020

Foxconn is one of the world's largest providers of electronics manufacturing services. The Taiwanese multinational company has over 1.2 million employees globally. A December 2020 attack on Foxconn again highlighted the scope of DoppelPaymer’s ambitions in targeting some of the world’s major companies.

The successful ransomware attack encrypted over a thousand of Foxconn’s servers and exfiltrated over 100 gigabytes of data. The attack targeted a location in Mexico housing a facility for the company’s North and South American operations. An interesting aspect of this attack was how the DoppelPaymer threat actors went out of their way to destroy 20-30 gigabytes of data backups presumably to further increase the probability of getting paid.

Considering the size of Foxconn, the ransom note left by DoppelPaymer demanded $34 million in Bitcoin. Only servers rather than employee workstations were encrypted. DoppelPaymer published files claimed to belong to Foxconn shortly after the attack, but Foxconn couldn’t confirm the authenticity or ownership of those files.

Boyce Technologies: August 2020

 In a disturbing example of DoppelPaymer’s merciless approach to cyber attacks, ventilator manufacturer Boyce Technologies suffered a ransomware attack in August 2020. This month marked a tumultuous period worldwide with the Covid-19 pandemic wreaking havoc on countries like the United States.

Boyce Technologies supplied vital ventilators to hospitals and healthcare facilities in New York that helped to deal with the worst cases of the virus. This incident became public knowledge when DoppelPaymer released a post with samples of files it had stolen from Boyce Technologies on its dark web leak site. A threat to release a lot more data accompanied the post.

Newcastle University: August 2020

Newcastle University is a public research university in the northeast part of England. Notable alumni include actor Rowan Atkinson and UK Royal Family member Princess Eugenie.  In August 2020, Newcastle University’s IT systems were heavily disrupted by what turned out to be a DoppelPaymer attack.

The incident caused severe operational disruption across networks and IT systems used by the university. A public update released one week after the attack indicated the damage would take several weeks to address. Students could only access a limited number of IT services, which negatively impacted their ability to study course materials. Following the attack, the threat actors began leaking sensitive information online, including Newcastle University students’ home addresses, phone numbers, and personal email addresses.

DoppelPaymer: FBI Alert, Rebranding and Future

The extent of DoppelPaymer’s operations and victim profiles prompted the FBI to release a warning in December 2020 that the gang was targeting critical infrastructure. The alert advised victims not to pay a ransom to criminal actors.

An interesting part of the alert was the FBI’s observation that DoppelPaymer was one of the first gangs where threat actors have called the victims to entice payments. This harassment aligns with the generally brutal nature of DoppelPaymer’s operations. Among the FBI’s recommended mitigations were having secure backups disconnected from the network and setting alerts for data exfiltration.

Perhaps in part due to the FBI setting its sights on DoppelPaymer, a lull in the gang’s operations started midway through 2021. No new leaks were posted on the dark web leak site for over a month.

Security researchers found that the group rebranded in May 2021 under the new name Grief. An early sample of the Grief ransomware strain linked to DoppelPaymer’s portal. Updated versions now link to a new portal that has extremely close similarities in layout to the DoppelPaymer portal.

There is no doubt that this is a rebranding of DoppelPaymer. And given the nature of the gang’s operations, this is a worrying development that shows they are not going away.

Preventing Successful Spear Phishing Attacks

Given the information known about how the DoppelPaymer threat actors operate, it was interesting to note that the FBI’s alert didn’t contain any reference to spear-phishing when discussing mitigation strategies. In fact, the word phishing didn’t appear at all in the document.

Given the widespread use of malicious Office documents as email attachments in instigating DoppelPaymer attacks, it’s worth addressing spear-phishing as a mitigation strategy. If you can prevent people from opening malicious attachments, you can stop adversaries in their tracks before they infiltrate your network.

Traditional security solutions struggle to detect spear-phishing emails. Furthermore, because of their highly targeted nature, these emails are very convincing. Threat actors can leverage company profiles and social networking platforms to obtain information about specific employees, such as executives.

Dealing with the threat of spear phishing requires a multi-pronged approach, but such an approach can make the difference in avoiding the devastating effects of ransomware attacks. Phishing simulation and training can help employees at all levels of seniority to better recognize phishing emails. While training and simulation aren’t guaranteed to stop people from being duped, they are effective methods to reduce that risk.

Another crucial tenet of dealing with spear phishing is having a dedicated email security platform that automatically detects, investigates, orchestrates, and responds to suspicious emails. Ideally, your email security solution would have sandbox engines to identify and isolate emails that contain malicious links and attachments.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at https://ironscales.com/get-a-demo/.