DoppelPaymer Ransomware Threat Intel Advisory

Summary

CloudSEK threat intelligence advisory on DoppelPaymer ransomware gang, operated by financially motivated threat group TA505.
Advisory
Malware Intelligence
Name
DoppelPaymer
Type 
Ransomware 
Target OS
Windows
Affected Sectors
Healthcare, emergency services, financial sectors, educational organizations.
  The latest victim of the DoppelPaymer ransomware attack is Apex Laboratory of Farmingdale, New York, which occurred on 31 December, 2020. The DoppelPaymer is reportedly operated by financially motivated threat group TA505, that deploys the Dridex banking trojan as a downloader for DoppelPaymer. The operators of DoppelPaymer also partnered with the Qakbot malware gang, wherein the Qakbot backdoor is responsible for initial access, privilege escalation, lateral movement, followed by which the DoppelPaymer gang takes control, deploying the ransomware. DoppelPaymer ransomware distribution methods includes:
  • RDP
  • Phishing emails
  • Exploits
  • Botnets 

Execution

  • DoppelPaymer enumerates users into the system and alters their credentials.
  • It establishes persistence by copying legitimate services and replacing them with itself.
  • It modifies the boot configuration database, allowing it to disable startup repair and to execute during the safe boot.
  • The ransomware modifies the group policy to display the ransom note before login/ direct the victim to the ransomware gang website to make a deal with the threat actor.
  • Followed by all these steps the ransomware encrypts the files and directs the victim to the website of the threat actor.
The encrypted files have extensions “.locked,” “.lock,” “.doppeled.”  

Tactics, Techniques and Procedures

Tactics 
Techniques
Persistence
T1197 BITS Jobs
T1547 Boot or Logon Autostart Execution
Privilege Escalation
T1547  Boot or Logon Autostart Execution
T1484 Group Policy Modification
Defense Evasion
T1197 BITS Jobs
T1484 Group Policy Modification
T1036.004 Masquerade Task or Service
Credential Access
T1003 OS Credential Dumping
Discovery
T1087 Account Discovery
Impact
T1486 Data Encrypted for Impact
T1489 Service Stop
T1529 System Shutdown/Reboot
 

Indicators of Compromise

IPv4
198.50.179.175
192.99.28.172
88.220.65.41
91.83.93.104
FileHash-MD5
d00ee614e9afb8c41133b9e3e7c2b179
8b8f84d740c31988cd5efe08d0501168
37f525421039fe452b1fccbf5c9df7aa
0ef5c94779cd7861b5e872cd5e922311
FileHash-SHA1
278878140bcd82632ec23b466e7b9e046af62c11
a0a1ad8866a0d3be1fbb4ad9c2e17e25abc59303
70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4
0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc
801b04a1504f167c25f568f8d7cbac13bdde6440a609d0dcd64ebe225c197f9b
d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
813d8020f32fefe01b66bea0ce63834adef2e725801b4b761f5ea90ac4facd3a
60ab87df9a77924e9f12484fa94f63fa4bb4c646072cf4b002492f59b1ee0103
f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555
67a0d7ea6792dfaf627ab3bbaa821c2d11269a48fc3308e1ad2f4abd297405fa
 

Impact

Technical Impact:
  • Encrypted victim files
  • Lock out users from accessing infected device
  • Data leak
Business Impact:
  • Breach of privacy
  • Cyber extortion and ransom
  • Loss of reputation
  • Loss of data

Mitigation

  • Use strong passwords, and change the default credentials of any used software
  • Keep up to date with the latest patches
  • Use multi-factor authentication methods for user login
  • Back up files regularly
  • Avoid downloading and opening any suspicious email attachments
  • Avoid clicking on suspicious URLs.

Table of Contents

Request an easy and customized demo for free