Ransomware gangs have been feeling the heat following the DarkSide ransomware attack on Colonial Pipeline in May that forced the company to shut down its fuel pipeline serving the U.S. East Coast for a week. Any attack on critical infrastructure is likely to draw a response from the U.S. government, so it is no surprise that ransomware gangs faced a great deal of scrutiny after the attack. The DarkSide group shut down following the attack, and several other ransomware gangs went quiet.
DoppelPaymer was one of the gangs that appeared to be laying low. Around a week after the Colonial Pipeline attack the group went quiet and no further updates were posted on the group’s data leak site after May 6, 2021.
It is not uncommon for ransomware operations to go quiet for a few weeks, but they usually return. In many cases, the threat group reappears with a tweaked ransomware variant that is used under a new name, as has happened with DoppelPaymer.
DoppelPaymer attacks often start with a phishing email with links or attachments that install other malware variants, which in turn deliver the ransomware payload. Prior to the Emotet botnet being shut down, that banking Trojan was used to deliver DoppelPaymer, as well as Dridex.
Security researchers investigating a new ransomware-as-a-service operation called Grief (PayorGrief) that appeared in June identified striking similarities between Grief and DoppelPaymer, leading them to the conclusion that they are one and the same. A sample of the malware was found that dates back to May 17, indicating the group had only stopped attacks for a very short period of time.
Grief and DoppelPaymer both have the same encrypted file format and are both distributed in phishing emails via the Dridex botnet, with one of the analyzed Grief samples also found to link to the old DoppelPaymer portal, although the samples identified since point to a separate Grief RaaS portal. Analyses of the code and the leak site also revealed further similarities such as the use of identical encryption algorithms and matching General Data Protection Regulation (GDPR) warnings for non-paying victims about GDPR penalties. The group appears to have been quite active in the short time since the new RaaS was launched, with 12 victims already listed on the group’s data leak site.
The best way to protect against DoppelPaymer ransomware attacks is to concentrate on blocking the initial attack vector – the phishing emails that deliver Dridex, which in turn delivers the ransomware. That requires an advanced anti-spam solution with machine learning capabilities and sandboxing. SpamTitan has these capabilities and many more detection mechanisms that ensure 100% of known malware threats are identified and blocked and new malware threats are identified even before their signatures are known.
For further information on improving your defenses against ransomware, malware, botnets, phishing, and other email- and web-based threats, give the TitanHQ team a call.