DoppelPaymer: Not Your Average Ransomware


How this “extortionware” makes backups irrelevant, and what you can do about it.

March 9, 2020 • Published by


DoppelPaymer (sometimes spelled “DopplePaymer”) is a word that’s been appearing more frequently in my threat feed chatter, so of course I had to see what updates have been occurring over the past 6 months. A ransomware variant, DoppelPaymer is showing some interesting new features that have morphed it into what we call “extortionware.”

DoppelPaymer is infecting systems and performing not only data encryption for ransom, but also exfiltrating data back to the attackers to be potentially released to the public if payment for the ransom is not made. And recently, the attackers are making good on their threats and the stolen data is being published publicly online.

This isn’t the first variant we’ve seen do this kind of activity, but it is interesting to see this tactic begin to be used by existing malware/ransomware. DoppelPaymer was initially based on BitPaymer, from the same group who developed Dridex. So, this isn’t new territory for these attackers.

These newer kinds of attacks present new concerns.

Here are the important considerations your SecOps team should be making in light of these newer attacks:

  1. This laughs in the face of companies that say, “We are prepared; if this happens to us, we can just restore from backups.” Sure, you can restore from backups, but now you are risking breach of any data the attackers exfiltrated while inside the network. And, you are dealing with attackers who are showing they are not only willing but have the easy means to release this information.
  2. Traditional antivirus or anti-malware solutions simply won’t cut it. I’ve got dozens of examples of malware that immediately run commands as the user to disable Windows Defender, ESET, Symantec, etc., because the user has the privileges to disable the tools. This is well before the attack even begins, so by disabling these tools, the door is now wide open. These same scripts drop firewall protection, disable backup software and delete all local backups as well, prior to their next stages of attack.
  3. We are going to continue to see a combination of data exfiltration and ransomware coming together. Attackers are getting wise to companies taking note of how to prevent or recover from ransomware, and they want to ensure their business models stay profitable. Decide not to pay the ransom and try to keep the breach hush? They release your information, patient records, customer records, financial data, contacts from your email, etc.

So, what’s the solution?

The solution to ransomware and extortionware like DoppelPaymer is to continue to stay on your toes. While this may sound impossible, it’s not if you team up with a solid Managed Detection and Response (MDR) partner.

For example, scenario 2 above wouldn’t work against those using ControlScan MDR. That’s because the ControlScan MDR solution is running at a protected kernel level, which means even the Administrators of the network cannot disable it, only our SOC can. This level of prevention makes it increasingly difficult for attackers, and ensures our SOC can prevent, detect, contain and remediate threats on our customers’ systems.

If your internal security efforts could use a boost, give us a call at 800-825-3301, ext. 2, or complete and submit the “Request Information” form on this page. We’re happy to discuss how a ControlScan partnership can cost-effectively protect your organization.