DoppelPaymer Ransomware Threat Intel Advisory

Advisory	Malware Intelligence
Name	DoppelPaymer
Type	Ransomware
Target OS	Windows
Affected Sectors	Healthcare, emergency services, financial sectors, educational organizations.

The latest victim of the DoppelPaymer ransomware attack is Apex Laboratory of Farmingdale, New York, which occurred on 31 December, 2020. The DoppelPaymer is reportedly operated by financially motivated threat group TA505, that deploys the Dridex banking trojan as a downloader for DoppelPaymer. The operators of DoppelPaymer also partnered with the Qakbot malware gang, wherein the Qakbot backdoor is responsible for initial access, privilege escalation, lateral movement, followed by which the DoppelPaymer gang takes control, deploying the ransomware. DoppelPaymer ransomware distribution methods includes:

RDP
Phishing emails
Exploits
Botnets

Execution

DoppelPaymer enumerates users into the system and alters their credentials.
It establishes persistence by copying legitimate services and replacing them with itself.
It modifies the boot configuration database, allowing it to disable startup repair and to execute during the safe boot.
The ransomware modifies the group policy to display the ransom note before login/ direct the victim to the ransomware gang website to make a deal with the threat actor.
Followed by all these steps the ransomware encrypts the files and directs the victim to the website of the threat actor.

The encrypted files have extensions “.locked,” “.lock,” “.doppeled.”

Tactics, Techniques and Procedures

Tactics	Techniques
Persistence	T1197	BITS Jobs
Persistence	T1547	Boot or Logon Autostart Execution
Privilege Escalation	T1547	Boot or Logon Autostart Execution
Privilege Escalation	T1484	Group Policy Modification
Defense Evasion	T1197	BITS Jobs
	T1484	Group Policy Modification
	T1036.004	Masquerade Task or Service
Credential Access	T1003	OS Credential Dumping
Discovery	T1087	Account Discovery
Impact	T1486	Data Encrypted for Impact
	T1489	Service Stop
	T1529	System Shutdown/Reboot

Indicators of Compromise

IPv4	198.50.179.175
	192.99.28.172
	88.220.65.41
	91.83.93.104
FileHash-MD5	d00ee614e9afb8c41133b9e3e7c2b179
	8b8f84d740c31988cd5efe08d0501168
	37f525421039fe452b1fccbf5c9df7aa
	0ef5c94779cd7861b5e872cd5e922311
FileHash-SHA1	278878140bcd82632ec23b466e7b9e046af62c11
	a0a1ad8866a0d3be1fbb4ad9c2e17e25abc59303
	70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4
	0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc
	801b04a1504f167c25f568f8d7cbac13bdde6440a609d0dcd64ebe225c197f9b
	d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f
	bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
	813d8020f32fefe01b66bea0ce63834adef2e725801b4b761f5ea90ac4facd3a
	60ab87df9a77924e9f12484fa94f63fa4bb4c646072cf4b002492f59b1ee0103
	f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555
	67a0d7ea6792dfaf627ab3bbaa821c2d11269a48fc3308e1ad2f4abd297405fa

Impact

Technical Impact:

Encrypted victim files
Lock out users from accessing infected device
Data leak

Business Impact:

Breach of privacy
Cyber extortion and ransom
Loss of reputation
Loss of data

Mitigation

Use strong passwords, and change the default credentials of any used software
Keep up to date with the latest patches
Use multi-factor authentication methods for user login
Back up files regularly
Avoid downloading and opening any suspicious email attachments
Avoid clicking on suspicious URLs.