In early December 2020, the FBI issued a warning about DoppelPaymer, a family of ransomware that first appeared in 2019 then its activities have continued in 2020, including a series of incidents in the second half of the year that they left their victims struggling to properly carry out their operations.
This ransomware-type threat designed to prevent victims from accessing their files by encrypting them. In order to use their files again, victims are forced to pay a ransom to cyber criminals. Research shows that cybercriminals use DoppelPaymer in targeted attacks. It means that they target specific companies and / or industries. Very often, cybercriminals with a specific objective seek to infiltrate (infect) an entire network, that is, the computers used in a particular company.
DoppelPaymer uses a fairly sophisticated routine, starting with infiltrating the network through malicious spam emails containing spear-phishing links or attachments designed to lure unsuspecting users into executing malicious code that is usually disguised as a document. genuine. This code is responsible for downloading other malware with more advanced capabilities (such as Emotet) onto the victim’s system. Once Emotet is downloaded, it will communicate with your command and control (C&C) server to install various modules, as well as to download and run other malware.
All ransom notes contain identical text. As stated therein, victims should not shut down or restart their computers, rename or delete encrypted files (and ransom notes), or attempt to restore files using any software. According to cyber criminals, such actions could lead to permanent data loss. For instructions on how to decrypt the data, victims must install Tor browser and open the link provided in each created ransom note.
They mention that victims have 7 days to use the link, after which it will no longer be valid. Furthermore, it is claimed that the faster victims contact the DoppelPaymer developers, the lower the price of a decryption. The aforementioned link opens a Tor website where victims can contact cyber criminals through an online chat but … as we always say nothing ensures that your data is returned and you are only driving it financially.
Most cyber criminals spread malicious programs (including ransomware) through spam campaigns, Trojans, rogue software updaters, untrustworthy software download channels / tools, and unofficial software ‘cracking’ (activation) tools but indeed very often, cybercriminals send emails with attachments that, if opened, install malicious software.
Examples of commonly attached files are Microsoft Office documents and PDFs, archive files such as ZIP, RAR, executable files, and JavaScript files. It is worth mentioning that they disguise such emails as if they were: important, official, etc., in order to deceive users, workers, etc.
Also check:
Prometheus and Grief, 2 New Ransomware Groups
Epsilon Red Ransomware targeting Microsoft
[…] also:DoppelPaymer – Ransomware targeting industriesNetwalker Ransomware that uses the fear on […]
[…] check:Hades ransomware targetting businessesDoppelPaymer – Ransomware targeting industriesZeppelin Ransomware targetting large companiesDiavol – A diabolical ransomware from Wizard […]