Advisory |
Malware Intelligence |
Name |
DoppelPaymer |
Type |
Ransomware |
Target OS |
Windows |
Affected Sectors |
Healthcare, emergency services, financial sectors, educational organizations. |
- RDP
- Phishing emails
- Exploits
- Botnets
Execution
- DoppelPaymer enumerates users into the system and alters their credentials.
- It establishes persistence by copying legitimate services and replacing them with itself.
- It modifies the boot configuration database, allowing it to disable startup repair and to execute during the safe boot.
- The ransomware modifies the group policy to display the ransom note before login/ direct the victim to the ransomware gang website to make a deal with the threat actor.
- Followed by all these steps the ransomware encrypts the files and directs the victim to the website of the threat actor.
Tactics, Techniques and Procedures
Tactics |
Techniques |
|
Persistence |
T1197 | BITS Jobs |
| T1547 | Boot or Logon Autostart Execution | |
Privilege Escalation |
T1547 | Boot or Logon Autostart Execution |
| T1484 | Group Policy Modification | |
Defense Evasion |
T1197 | BITS Jobs |
| T1484 | Group Policy Modification | |
| T1036.004 | Masquerade Task or Service | |
Credential Access |
T1003 | OS Credential Dumping |
Discovery |
T1087 | Account Discovery |
Impact |
T1486 | Data Encrypted for Impact |
| T1489 | Service Stop | |
| T1529 | System Shutdown/Reboot | |
Indicators of Compromise
IPv4 |
198.50.179.175 |
| 192.99.28.172 | |
| 88.220.65.41 | |
| 91.83.93.104 | |
FileHash-MD5 |
d00ee614e9afb8c41133b9e3e7c2b179 |
| 8b8f84d740c31988cd5efe08d0501168 | |
| 37f525421039fe452b1fccbf5c9df7aa | |
| 0ef5c94779cd7861b5e872cd5e922311 | |
FileHash-SHA1 |
278878140bcd82632ec23b466e7b9e046af62c11 |
| a0a1ad8866a0d3be1fbb4ad9c2e17e25abc59303 | |
| 70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4 | |
| 0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc | |
| 801b04a1504f167c25f568f8d7cbac13bdde6440a609d0dcd64ebe225c197f9b | |
| d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f | |
| bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 | |
| 813d8020f32fefe01b66bea0ce63834adef2e725801b4b761f5ea90ac4facd3a | |
| 60ab87df9a77924e9f12484fa94f63fa4bb4c646072cf4b002492f59b1ee0103 | |
| f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555 | |
| 67a0d7ea6792dfaf627ab3bbaa821c2d11269a48fc3308e1ad2f4abd297405fa |
Impact
Technical Impact:
- Encrypted victim files
- Lock out users from accessing infected device
- Data leak
Business Impact:
- Breach of privacy
- Cyber extortion and ransom
- Loss of reputation
- Loss of data
Mitigation
- Use strong passwords, and change the default credentials of any used software
- Keep up to date with the latest patches
- Use multi-factor authentication methods for user login
- Back up files regularly
- Avoid downloading and opening any suspicious email attachments
- Avoid clicking on suspicious URLs.