DoppelPaymer Ransomware Threat Intel Advisory

The latest victim of the DoppelPaymer ransomware attack is Apex Laboratory of Farmingdale, New York, which occurred on 31 December, 2020. The DoppelPaymer is reportedly operated by financially motivated threat group TA505, that deploys the Dridex banking trojan as a downloader for DoppelPaymer. The operators of DoppelPaymer also partnered with the Qakbot malware gang, wherein the Qakbot backdoor is responsible for initial access, privilege escalation, lateral movement, followed by which the DoppelPaymer gang takes control, deploying the ransomware.

DoppelPaymer ransomware distribution methods includes:

• RDP
• Phishing emails
• Exploits
• Botnets 

Execution

• DoppelPaymer enumerates users into the system and alters their credentials.
• It establishes persistence by copying legitimate services and replacing them with itself.
• It modifies the boot configuration database, allowing it to disable startup repair and to execute during the safe boot.
• The ransomware modifies the group policy to display the ransom note before login/ direct the victim to the ransomware gang website to make a deal with the threat actor.
• Followed by all these steps the ransomware encrypts the files and directs the victim to the website of the threat actor.

The encrypted files have extensions “.locked,” “.lock,” “.doppeled.”

Tactics, Techniques and Procedures

Indicators of Compromise

Impact

Technical Impact:

• Encrypted victim files
• Lock out users from accessing infected device
• Data leak

Business Impact:

• Breach of privacy
• Cyber extortion and ransom
• Loss of reputation
• Loss of data

Mitigation

• Use strong passwords, and change the default credentials of any used software
• Keep up to date with the latest patches
• Use multi-factor authentication methods for user login
• Back up files regularly
• Avoid downloading and opening any suspicious email attachments
• Avoid clicking on suspicious URLs.