7 DOPPELPAYMER: A CASE STUDY DoppelPaymer is a variant of BitPaymer, a ransomware operated by the INDRIK SPIDER group 43 . The group as formed in 2014 and has de eloped a custom banking Trojan malware known as Dridex, which over the years caused losses amounting to millions of dollars globally using wired fraud. The group shifted to ransom extortions in late 2017 ith the BitPa mer ransom are. Since June 2019, the DoppelPa mer ransom are strain as detected in the ild, targeting the City of Edcouch, Texas and the Chilean Ministry of Agriculture. DoppelPaymer ransomware is known to be largely based on both Dridex and BitPaymer source codes. Despite the similarities, DoppelPaymer is considered a separate operation. It is usually dropped by the Dridex Trojan (which is itself typically downloaded by Emotet), but DoppelPaymer was also observed distributed via spam emails, deceptive downloads, botnets, exploits, malvertising, insecure RDPs, web injects and fake updates on the ictim’s computer 44 . DoppelPaymer is capable of terminating services and processes that ma interrupt ith its åfle encr ption process, including ICS and industrial software-related processes (see “Most Targeted Industries” chapter above). In Februar 2020, it as reported that the DoppelPa mer gang adopted the “double extortion” tactic and threatened victims they would sell their data or publish it if the ransom demand is not paid. Furthermore, DoppelPaymer operators also claimed the ha e been stealing their ictims’ data for almost a ear, and that the e en sold some of the data on the Dark Web in the past 45 . Shortly after, the DoppelPaymer ransomware gang launched its Dark Web leaks website for publishing the data of non-paying victims 46 . The åfrst t o ictims the group has created an entr for on their leaks ebsite in Februar 2020, ere Me ico state-o ned energ compan Peme , and French telecommunications company Bretagne Télécom, an attack which reportedly involved the e ploitation of the CVE-2019-19781 Citri ADC ulnerabilit (see “Top Abused Vulnerabilities” chapter above) 47 . Other prominent, high-proåfle ictims targeted b DoppelPa mer, ere: + Precision parts manufacturer Visser Precision (supplier of companies such as Tesla, Boeing, Lockheed Martin, and SpaceX) + US cities, such as City of Torrance of the Los Angeles metropolitan area in California 48 and Dela are Count in Penns l ania ( ho reportedl paid the gang US$500,000) 49 + The Oãfce of the Chief Justice in South Africa 50 + A facility of electronics giant Foxconn 51 https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid/ https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/ https:// .bleepingcomputer.com/ne s/securit /doppelpa mer-hacked-bretagne-t-l-com-using-the-citri -adc-æfa / https:// .bleepingcomputer.com/ne s/securit /doppelpa mer-ransom are-hits-los-angeles-count -cit -leaks-åfles/ https://m broadband.co. a/ne s/securit /374310-ransom are-group-releases-data-after-attack-on-oãfce-of-the-chief-justice.html https://securit aâfairs.co/ ordpress/111654/c ber-crime/dela are-count -doppelpa mer-ransom are.html https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/ https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/ https:// .trendmicro.com/en_us/research/21/a/an-o er ie -of-the-doppelpa mer-ransom are.html; https:// .microsoft.com/securit /blog/2020/03/05/human-operated-ransom are-attacks-a-pre entable-disaster/ 44. 45. 46. 47. 48. 50. 49. 51. 43. 27 | The Ransomware Landscape