Zyxel USG
DoppelPaymer Ransomware Threat Intel Advisory
Published 12 January 2021
- DoppelPaymer operated by financially motivated threat group TA505 deploys the Dridex banking trojan as a downloader.
- DoppelPaymer ransomware distribution methods includes, RDP, Phishing emails, Exploits, Botnets
Share this Threat Intel:
Advisory |
Malware Intelligence |
Name |
DoppelPaymer |
Type |
Ransomware |
Target OS |
Windows |
Affected Sectors |
Healthcare, emergency services, financial sectors, educational organizations. |
The latest victim of the DoppelPaymer ransomware attack is Apex Laboratory of Farmingdale, New York, which occurred on 31 December, 2020. The DoppelPaymer is reportedly operated by financially motivated threat group TA505, that deploys the Dridex banking trojan as a downloader for DoppelPaymer. The operators of DoppelPaymer also partnered with the Qakbot malware gang, wherein the Qakbot backdoor is responsible for initial access, privilege escalation, lateral movement, followed by which the DoppelPaymer gang takes control, deploying the ransomware.
DoppelPaymer ransomware distribution methods includes:
- RDP
- Phishing emails
- Exploits
- Botnets
Execution
- DoppelPaymer enumerates users into the system and alters their credentials.
- It establishes persistence by copying legitimate services and replacing them with itself.
- It modifies the boot configuration database, allowing it to disable startup repair and to execute during the safe boot.
- The ransomware modifies the group policy to display the ransom note before login/ direct the victim to the ransomware gang website to make a deal with the threat actor.
- Followed by all these steps the ransomware encrypts the files and directs the victim to the website of the threat actor.
The encrypted files have extensions “.locked,” “.lock,” “.doppeled.”
Tactics, Techniques and Procedures
Tactics |
Techniques |
|
Persistence |
T1197 | BITS Jobs |
T1547 | Boot or Logon Autostart Execution | |
Privilege Escalation |
T1547 | Boot or Logon Autostart Execution |
T1484 | Group Policy Modification | |
Defense Evasion |
T1197 | BITS Jobs |
T1484 | Group Policy Modification | |
T1036.004 | Masquerade Task or Service | |
Credential Access |
T1003 | OS Credential Dumping |
Discovery |
T1087 | Account Discovery |
Impact |
T1486 | Data Encrypted for Impact |
T1489 | Service Stop | |
T1529 | System Shutdown/Reboot |
Indicators of Compromise
IPv4 |
198.50.179.175 |
192.99.28.172 | |
88.220.65.41 | |
91.83.93.104 | |
FileHash-MD5 |
d00ee614e9afb8c41133b9e3e7c2b179 |
8b8f84d740c31988cd5efe08d0501168 | |
37f525421039fe452b1fccbf5c9df7aa | |
0ef5c94779cd7861b5e872cd5e922311 | |
FileHash-SHA1 |
278878140bcd82632ec23b466e7b9e046af62c11 |
a0a1ad8866a0d3be1fbb4ad9c2e17e25abc59303 | |
70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4 | |
0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc | |
801b04a1504f167c25f568f8d7cbac13bdde6440a609d0dcd64ebe225c197f9b | |
d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f | |
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 | |
813d8020f32fefe01b66bea0ce63834adef2e725801b4b761f5ea90ac4facd3a | |
60ab87df9a77924e9f12484fa94f63fa4bb4c646072cf4b002492f59b1ee0103 | |
f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555 | |
67a0d7ea6792dfaf627ab3bbaa821c2d11269a48fc3308e1ad2f4abd297405fa |
Impact
Technical Impact:
- Encrypted victim files
- Lock out users from accessing infected device
- Data leak
Business Impact:
- Breach of privacy
- Cyber extortion and ransom
- Loss of reputation
- Loss of data
Mitigation
- Use strong passwords, and change the default credentials of any used software
- Keep up to date with the latest patches
- Use multi-factor authentication methods for user login
- Back up files regularly
- Avoid downloading and opening any suspicious email attachments
- Avoid clicking on suspicious URLs.
Be informed in your Inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Join the Discussions
Discuss your way into our Community about these threats and stay Vigilant and informed.