Doppelpaymer

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
DoppelPaymer is a form of malware, specifically ransomware, known for its high-profile attacks on large organizations and municipalities. Originally based on the BitPaymer ransomware, DoppelPaymer was reworked and renamed by the threat group GOLD HERON, after initially being operated by GOLD DRAKE. It has been used in various campaigns alongside other malware like Dridex. Notable targets of this ransomware include commercial entities such as ASUS and energy giant ConocoPhillips, as well as municipalities like Augusta, Georgia. The ransom demands associated with DoppelPaymer often exceed $1 million, demonstrating its focus on high-value targets. In March 2020, DoppelPaymer targeted several prominent companies including SpaceX, Tesla, and a Boeing parts manufacturer, further cementing its reputation as a significant cybersecurity threat. Despite these successful infiltrations, DoppelPaymer's activities have not gone unnoticed by law enforcement agencies. Throughout the early months of 2023, operations against major ransomware threats, including DoppelPaymer, were carried out, resulting in significant disruptions to their operations. The culmination of these efforts came when core members of the DoppelPaymer ransomware gang were targeted in a Europol operation. This led to the arrest of two individuals believed to be integral to the group's activities in Germany and Ukraine. These arrests marked a significant victory in the ongoing battle against global cybercrime, demonstrating the effectiveness of international cooperation in combating such threats. However, as of my knowledge cutoff in September 2021, DoppelPaymer remained an active ransomware threat, highlighting the need for continued vigilance in cybersecurity practices.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
BitPaymer
3
BitPaymer is a type of malware that operates as ransomware, encrypting files and demanding payment for their release. It was operated by the GOLD DRAKE threat group and was later reworked and renamed DoppelPaymer by the GOLD HERON threat group. As part of the Ransomware as a Service (RaaS) model tha
Grief
2
Grief is a malicious software, or malware, known for its destructive capabilities to exploit and damage computer systems. It infiltrates unsuspecting users' devices through suspicious downloads, emails, or websites, often without their knowledge. Once inside a system, Grief can steal personal inform
WastedLocker
1
WastedLocker is a type of malware developed by the Evil Corp Group, known for its malicious activities. This malware variant was first identified in 2020 and is part of an evolution of ransomware that began with Dridex, followed by DoppelPaymer developed in 2019, and then WastedLocker. The malware i
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Europol
Police
Malware
Cybercrime
Fbi
Phishing
Extortion
Ransom
German
netscaler
citrix
Boeing
Spam
Backdoor
RaaS
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DridexUnspecified
3
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
QbotUnspecified
2
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
EmotetUnspecified
2
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
ProLockUnspecified
1
ProLock is a type of malware, specifically ransomware, that is designed to infiltrate computer systems, often unbeknownst to the user. It typically enters systems through suspicious downloads, emails, or websites. Once inside, ProLock can steal personal information, disrupt operations, and hold data
EgregorUnspecified
1
Egregor is a variant of the Sekhmet ransomware and operates as Ransomware-as-a-Service (RaaS). It emerged in 2020, suspected to be from former Maze affiliates. Known for its double extortion tactics, Egregor publicly shames its victims by leaking sensitive data if the ransom isn't paid. In one notab
MegaCortexUnspecified
1
MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industria
ClopUnspecified
1
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
AzorultUnspecified
1
Azorult is a type of malware, or malicious software, that infiltrates systems to exploit and damage them, often without the user's knowledge. It has historically been one of the favored infostealers sold on the marketplace 2easy, alongside RedLine, Raccoon, Vidar, and Taurus. However, as of late Feb
FakeupdatesUnspecified
1
FakeUpdates, also known as SocGholish, is a JavaScript-based loader malware that primarily targets Microsoft Windows-based environments. The malware has been in operation for over five years and uses compromised websites to trick users into running a fake browser update. In addition to its deceptive
HiveUnspecified
1
Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
NefilimUnspecified
1
Nefilim is a malware, specifically a ransomware, that has been responsible for significant cyber threats globally. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Between 2019 and 2021,
Ragnar LockerUnspecified
1
Ragnar Locker is a type of malware, specifically a ransomware, that has been designed to infiltrate computer systems, often without the user's knowledge. It can enter systems through suspicious downloads, emails, or websites and once inside, it has the capability to steal personal information, disru
REvilUnspecified
1
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
NetwalkerUnspecified
1
NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that Ne
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SodinokibiUnspecified
1
Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware st
Evil CorpUnspecified
1
Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctio
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Doppelpaymer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
8 of the Biggest Ransomware Attacks in Recent History: A Look Back
CERT-EU
7 months ago
The law enforcement operations targeting cybercrime in 2023
CERT-EU
7 months ago
Cybersecurity Year in Review 2023: A zero-day nightmare | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
7 months ago
Cybersecurity Year in Review 2023: A zero-day nightmare | IT World Canada News
CERT-EU
7 months ago
AlphV/BlackCat allegedly calls for ransomware gang ‘cartel’ to stand up to police | IT World Canada News
CERT-EU
8 months ago
The shifting sands of the war against cyber extortion - Help Net Security
CERT-EU
8 months ago
The shifting sands of the war against cyber extortion - Help Net Security
CERT-EU
9 months ago
Boeing Confirms Cyberattack Amid Lockbit Ransomware Gang Claims
CERT-EU
a year ago
No Password Required: The Teenage CEO of Girls Who Hack and Secure Open Vote, Who Is as Comfortable Behind a Mic as She Is Behind a Keyboard.
Naked Security
a year ago
S3 Ep125: When security hardware has security holes [Audio + Text]
CERT-EU
a year ago
Ongoing Attacks: Over 600+ Citrix Servers Compromised to Install Web Shells
CERT-EU
10 months ago
Cyber Security Week in Review: September 29, 2023
CERT-EU
10 months ago
ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families
CERT-EU
10 months ago
Update: The 2023 Malware League Table
CERT-EU
10 months ago
DoppelPaymer ransomware group suspects identified - Cyber Security Review
Malwarebytes
10 months ago
DoppelPaymer ransomware group suspects identified
CERT-EU
10 months ago
August 2023's Most Wanted Malware : New ChromeLoader Campaign Spreads Malicious Browser Extensions while QBot is Shut Down by FBI – Global Security Mag Online
CERT-EU
a year ago
North Korean hackers used polished LinkedIn profiles to target security researchers
Securityaffairs
a year ago
New QBot campaign delivered hijacking business correspondence
CERT-EU
a year ago
80+ Africa Cybersecurity Statistics and Trends (2023)