Doppelpaymer

Malware updated a month ago (2024-11-29T14:00:22.431Z)

Download STIX

Preview STIX

DoppelPaymer is a type of malware, specifically ransomware, that was initially developed and operated by the GOLD DRAKE threat group under the name BitPaymer. The software was later reworked and renamed to DoppelPaymer by another threat group, GOLD HERON. This malicious software first appeared in mid-2019 and began being used for double extortion attacks in early 2020. It has primarily targeted large organizations, demanding ransoms exceeding $1 million. Notable victims include computer manufacturer ASUS, municipalities like Augusta, George, and energy giant ConocoPhillips. In 2021, the ransomware underwent another rebranding and started operating under the name Grief. Law enforcement agencies from Germany and Ukraine conducted operations targeting key members of the DoppelPaymer ransomware group in February 2023. Two individuals, including a German national and Turashev, who had been wanted by German law enforcement since 2023 for his alleged involvement in running the ransomware, were arrested. These arrests marked significant progress in the ongoing fight against cybercrime and ransomware threats. The arrest of the DoppelPaymer operators aligns with a broader trend of increased law enforcement activity against ransomware gangs. Earlier in the same year, agencies successfully disrupted the HIVE and Genesis ransomware operations. Additionally, the suspected developer of the Ragnar Locker ransomware gang was apprehended in Paris. Despite these successes, DoppelPaymer remains an active threat, underscoring the importance of continued vigilance and cybersecurity measures among potential target organizations.

Description last updated: 2024-10-02T21:16:21.320Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
BitPaymer is a possible alias for Doppelpaymer. BitPaymer is a type of malware, specifically ransomware, that was operated by the cybercriminal group known as GOLD DRAKE. It is designed to infiltrate systems and encrypt data, holding it hostage until a ransom is paid. This malicious software became prominent in conjunction with the rise of Ransom	3
Grief is a possible alias for Doppelpaymer. Grief is a potent malware that evolved from the DoppelPaymer ransomware, first appearing in mid-2019 and used for double extortion attacks beginning in early 2020. The malware was rebranded as Grief in 2021 under the alleged direction of an individual named Turashev, who has been sought by German la	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Europol

Police

Malware

Extortion

Cybercrime

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Dridex Malware is associated with Doppelpaymer. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group ta	Unspecified	3
The Qbot Malware is associated with Doppelpaymer. Qbot, also known as Qakbot or Pinkslipbot, is a sophisticated malware that initially emerged in 2007 as a banking trojan. It has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks and prepare them for ransomware attacks. The first known use of an ITG23	Unspecified	2
The Emotet Malware is associated with Doppelpaymer. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations,	Unspecified	2

Source Document References

Information about the Doppelpaymer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	3 months ago	Cybercrime is Still Evil Incorporated, But Disruptions Help
CERT-EU	2 years ago	8 of the Biggest Ransomware Attacks in Recent History: A Look Back
CERT-EU	a year ago	The law enforcement operations targeting cybercrime in 2023
CERT-EU	a year ago	Cybersecurity Year in Review 2023: A zero-day nightmare \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Cybersecurity Year in Review 2023: A zero-day nightmare \| IT World Canada News
CERT-EU	a year ago	AlphV/BlackCat allegedly calls for ransomware gang ‘cartel’ to stand up to police \| IT World Canada News
CERT-EU	a year ago	The shifting sands of the war against cyber extortion - Help Net Security
CERT-EU	a year ago	The shifting sands of the war against cyber extortion - Help Net Security
CERT-EU	a year ago	Boeing Confirms Cyberattack Amid Lockbit Ransomware Gang Claims
CERT-EU	2 years ago	No Password Required: The Teenage CEO of Girls Who Hack and Secure Open Vote, Who Is as Comfortable Behind a Mic as She Is Behind a Keyboard.
Naked Security	2 years ago	S3 Ep125: When security hardware has security holes [Audio + Text]
CERT-EU	a year ago	Ongoing Attacks: Over 600+ Citrix Servers Compromised to Install Web Shells
CERT-EU	a year ago	Cyber Security Week in Review: September 29, 2023
CERT-EU	a year ago	ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families
CERT-EU	a year ago	Update: The 2023 Malware League Table
CERT-EU	a year ago	DoppelPaymer ransomware group suspects identified - Cyber Security Review
Malwarebytes	a year ago	DoppelPaymer ransomware group suspects identified
CERT-EU	a year ago	August 2023's Most Wanted Malware : New ChromeLoader Campaign Spreads Malicious Browser Extensions while QBot is Shut Down by FBI – Global Security Mag Online
CERT-EU	2 years ago	North Korean hackers used polished LinkedIn profiles to target security researchers
Securityaffairs	2 years ago	New QBot campaign delivered hijacking business correspondence