7 DOPPELPAYMER: A CASE STUDY DoppelPaymer is a variant of BitPaymer, a ransomware operated by the INDRIK SPIDER group 43 . The group was formed in 2014 and has developed a custom banking Trojan malware known as Dridex, which over the years caused losses amounting to millions of dollars globally using wired fraud. The group shifted to ransom extortions in late 2017 with the BitPaymer ransomware. Since June 2019, the DoppelPaymer ransomware strain was detected in the wild, targeting the City of Edcouch, Texas and the Chilean Ministry of Agriculture. DoppelPaymer ransomware is known to be largely based on both Dridex and BitPaymer source codes. Despite the similarities, DoppelPaymer is considered a separate operation. It is usually dropped by the Dridex Trojan (which is itself typically downloaded by Emotet), but DoppelPaymer was also observed distributed via spam emails, deceptive downloads, botnets, exploits, malvertising, insecure RDPs, web injects and fake updates on the victim’s computer 44 . DoppelPaymer is capable of terminating services and processes that may interrupt with its file encryption process, including ICS and industrial software-related processes (see “Most Targeted Industries” chapter above). In February 2020, it was reported that the DoppelPaymer gang adopted the “double extortion” tactic and threatened victims they would sell their data or publish it if the ransom demand is not paid. Furthermore, DoppelPaymer operators also claimed they have been stealing their victims’ data for almost a year, and that they even sold some of the data on the Dark Web in the past 45 . Shortly after, the DoppelPaymer ransomware gang launched its Dark Web leaks website for publishing the data of non-paying victims 46 . The first two victims the group has created an entry for on their leaks website in February 2020, were Mexico state-owned energy company Pemex, and French telecommunications company Bretagne Télécom, an attack which reportedly involved the exploitation of the CVE-2019-19781 Citrix ADC vulnerability (see “Top Abused Vulnerabilities” chapter above) 47 . Other prominent, high-profile victims targeted by DoppelPaymer, were: + Precision parts manufacturer Visser Precision (supplier of companies such as Tesla, Boeing, Lockheed Martin, and SpaceX) + US cities, such as City of Torrance of the Los Angeles metropolitan area in California 48 and Delaware County in Pennsylvania (who reportedly paid the gang US$500,000) 49 + The Office of the Chief Justice in South Africa 50 + A facility of electronics giant Foxconn 51 https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid/ https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/ https://www.bleepingcomputer.com/news/security/doppelpaymer-hacked-bretagne-t-l-com-using-the-citrix-adc-flaw/ https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-hits-los-angeles-county-city-leaks-files/ https://mybroadband.co.za/news/security/374310-ransomware-group-releases-data-after-attack-on-office-of-the-chief-justice.html https://securityaffairs.co/wordpress/111654/cyber-crime/delaware-county-doppelpaymer-ransomware.html https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/ https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/ https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html; https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ 44. 45. 46. 47. 48. 50. 49. 51. 43. 27 | The Ransomware Landscape