Ransomware attacks have become increasingly common in recent years, inflicting massive damage on businesses, government agencies, healthcare organizations and everyday internet users. One of the most dangerous new ransomware variants is DoppelPaymer ransomware, which first appeared in 2019 and has already impacted high-profile targets like the City of Torrance in California.
Contents
Origins and Evolution
DoppelPaymer ransomware first surfaced in the cybersecurity arena around 2019. It is believed to be an offshoot of the BitPaymer ransomware, sharing similarities in its code and tactics. The name “DoppelPaymer” itself suggests a connection to its predecessor, emphasizing the duality of its malicious intent. The actors behind DoppelPaymer are thought to be an organized cybercrime group, possibly operating with financial motivations.
Over the years, DoppelPaymer has undergone several iterations, each more sophisticated than the last. The malware is regularly updated to evade detection by security solutions, making it a persistent and adaptive threat.
Modus Operandi
DoppelPaymer ransomware employs various techniques to infiltrate and compromise target systems. Like many ransomware strains, it often relies on phishing emails containing malicious attachments or links. Once a user interacts with the payload, the ransomware begins its encryption process, rendering files inaccessible and demanding a ransom for their release.
What sets DoppelPaymer apart is its ability to move laterally within a network. Once inside, it can escalate privileges, disable security measures, and spread across connected devices. This lateral movement enhances its impact, making it challenging for organizations to contain and mitigate the threat effectively.
Notable Incidents
DoppelPaymer ransomware has been associated with several high-profile incidents, targeting organizations across various sectors. In 2019, the ransomware gained significant attention for attacking the City of Edcouch in Texas, crippling municipal services and demanding a substantial ransom for data decryption keys. This incident underscored the potential consequences of ransomware attacks on critical infrastructure.
In 2020, the University of California, San Francisco (UCSF), fell victim to a DoppelPaymer attack, highlighting the ransomware’s indiscriminate targeting. The university paid a ransom of $1.14 million to regain access to critical data, sparking debates about the ethics of paying ransoms.
Healthcare has also been heavily targeted. In September 2020, DoppelPaymer struck Universal Health Services, one of the largest hospital chains in the US. The attack forced healthcare facilities to turn away patients and revert to paper backups. Forensic investigation revealed that the attackers had lingered in the network undetected for over a week before deploying ransomware across hundreds of servers.
Other notable DoppelPaymer victims include the London-based law firm Jones Day, Chilean national supermarket chain Cencosud, and American wallpaper manufacturer Graham & Brown. Each of these attacks resulted in significant business disruption for the victim organisations.
Technical Sophistication
DoppelPaymer ransomware exhibits a high level of technical sophistication, employing advanced encryption algorithms to lock files and demanding ransom payments in cryptocurrencies, often Bitcoin. The ransom demands are typically tailored to the victim’s financial capabilities, making it more likely for them to acquiesce to the demands.
The ransomware is also known for its ability to exfiltrate sensitive data before encryption, adding a layer of extortion to its tactics. Threat actors threaten to release the stolen information if the ransom is not paid, compounding the challenges faced by targeted organizations.
Impact on Cybersecurity Landscape
The success and persistence of DoppelPaymer ransomware underscore the need for organizations to prioritize cybersecurity measures. Its ability to bypass traditional security protocols and target critical infrastructure highlights the importance of proactive defense strategies, including regular security audits, employee training, and the implementation of robust backup systems.
The rise of DoppelPaymer also emphasizes the necessity of international collaboration in combating cybercrime. As threat actors often operate across borders, effective cybersecurity requires a coordinated effort between governments, law enforcement agencies, and private-sector entities.
The Threat Actors Behind DoppelPaymer
Researchers have linked DoppelPaymer operations to a Russian cybercriminal group known as INDRIK SPIDER. This group appears to be closely connected to, or a rebranded offshoot of, the operators behind BitPaymer. INDRIK SPIDER works as a ransomware-as-a-service outfit, handling ransomware development, data theft and extortion, while partners focus on infecting new victims’ networks.
DoppelPaymer is distributed via human-operated ransomware affiliates to avoid detection by automated defences. INDRIK SPIDER advertises for affiliates on dark web forums, vetting and training recruits before providing them with custom DoppelPaymer builds. The developers handle decryption and victim negotiation, paying affiliates between 60% to 80% of each ransom paid. This model has allowed INDRIK SPIDER to scale up DoppelPaymer distribution while minimising risk.
How DoppelPaymer Infects Systems and Avoids Detection
DoppelPaymer ransomware has advanced capabilities to avoid security tools and overwhelm endpoint detection and response controls:
- Multilayered anti-analysis techniques to defeat malware sandboxes and reverse engineering.
- Custom cryptographic protocols allowing secure command and control communications.
- Rapid lateral movement once in a network by abusing common tools like PsExec, GPO, WMI and more.
- Fileless persistence mechanisms like registry edits and scheduled tasks.
- Mimikatz tool for credential theft, giving access to domain admin accounts.
- Disabling of security software using Windows Restart Manager.
- Targeting of domain controllers and backup systems to maximise impact.
Observed techniques like process injection, DLL side-loading, and Clear-Text password storage also allow DoppelPaymer to bypass defenses and provide persistence on compromised networks.
Conclusion
DoppelPaymer ransomware stands as a stark reminder of the evolving and persistent nature of cyber threats. As organizations continue to grapple with the challenges posed by sophisticated ransomware strains, it is imperative to adopt a proactive and comprehensive cybersecurity posture.
By understanding the modus operandi of DoppelPaymer and implementing effective mitigation strategies, organizations can better protect themselves against this and similar threats, safeguarding their data, operations, and reputation in an increasingly digital world.