Doppel Spider

Description

(CrowdStrike) CrowdStrike Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture.

We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by Indrik Spider. However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of Indrik Spider have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation.

DoppelPaymer has been observed to be distributed by Smoke Loader (operated by Smoky Spider) and Emotet (operated by Mummy Spider, TA542).

Names

Name	Name-Giver
Doppel Spider	CrowdStrike
Gold Heron	SecureWorks
Grief Group	self given

Country

• Russia

Motivation

• Financial gain

First Seen

2019

Observed Sectors

• Government
• Manufacturing

Observed Countries

• Austria
• Brazil
• Canada
• Chile
• Dominican Republic
• France
• Germany
• Greece
• Italy
• Mexico
• Portugal
• Spain
• Switzerland
• Thailand
• UK
• USA

Tools

• Cobalt Strike
• DoppelPaymer
• Grief

Operations

• 2020-02: The DoppelPaymer Ransomware is the latest family threatening to sell or publish a victim’s stolen files if they do not pay a ransom demand. https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid/
• 2020-03: Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay https://www.theregister.co.uk/2020/04/10/lockheed_martin_spacex_ransomware_leak/
• 2020-06: DopplePaymer ransomware gang claims to have breached DMI, a major US IT and cybersecurity provider, and one of NASA IT contractors. https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/
• 2020-08: UK research university Newcastle University says that it will take several weeks to get IT services back online after DoppelPaymer ransomware operators breached its network and took systems offline on the morning of August 30th. https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-hits-newcastle-university-leaks-data/
• 2020-09: Death occurred after a patient was diverted to a nearby hospital after the Duesseldorf University Hospital suffered a ransomware attack. https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/
• 2020-10: On October 7th, Hall County in Georgia announced that they had suffered a ransomware attack that impacted their networks and phone systems. https://www.bleepingcomputer.com/news/security/georgia-county-voter-information-leaked-by-ransomware-gang/
• 2020-11: Compal, the second-largest laptop manufacturer in the world, hit by ransomware https://www.zdnet.com/article/compal-the-second-largest-laptop-manufacturer-in-the-world-hit-by-ransomware/
• 2020-11: MasterChef, Big Brother producer hit by DoppelPaymer ransomware https://www.bleepingcomputer.com/news/security/masterchef-big-brother-producer-hit-by-doppelpaymer-ransomware/
• 2020-12: Foxconn electronics giant hit by ransomware, $34 million ransom https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/
• 2021-02: Kia Motors America suffers ransomware attack, $20 million ransom https://www.bleepingcomputer.com/news/security/kia-motors-america-suffers-ransomware-attack-20-million-ransom/
• 2021-04: Breach of the Illinois Attorney General’s Office https://illinoisattorneygeneral.gov/pressroom/2021_04/20210413.html
• 2021-07: DoppelPaymer ransomware gang rebrands as the Grief group https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-gang-rebrands-as-the-grief-group/
• 2021-09: Ransomware gang threatens to wipe decryption key if negotiator hired https://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-wipe-decryption-key-if-negotiator-hired/
• 2021-09: Grief Gang’s New Quadruple Extortion Scheme Doesn’t Change the Game https://www.cybereason.com/blog/grief-gangs-new-quadruple-extortion-scheme-doesnt-change-the-game
• 2021-10: Grief Ransomware Gang Claims 41 New Victims, Targeting Manufacturers; Municipalities; & Service Companies in U.K. & Europe https://www.esentire.com/security-advisories/grief-ransomware-gang-claims-41-new-victims-targeting-manufacturers-municipalities-service-companies-in-u-k-europe
• 2021-10: NRA: No comment on Russian ransomware gang attack claims https://www.bleepingcomputer.com/news/security/nra-no-comment-on-russian-ransomware-gang-attack-claims/

Counter Operations

• 2023-02: Germany and Ukraine hit two high-value ransomware targets https://www.europol.europa.eu/media-press/newsroom/news/germany-and-ukraine-hit-two-high-value-ransomware-targets
• 2023-09: DoppelPaymer ransomware group suspects identified https://www.malwarebytes.com/blog/news/2023/09/doppelpaymer-ransomware-group-suspects-identified
• 2025-05: Moldova arrests suspect linked to DoppelPaymer ransomware attacks https://www.bleepingcomputer.com/news/security/moldova-arrests-suspect-linked-to-doppelpaymer-ransomware-attacks/

Information

• https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/
• https://lifars.com/2019/11/from-dridex-to-bitpaymer-ransomware-to-doppelpaymerthe-evolution/
• https://www.bleepingcomputer.com/news/security/new-doppelpaymer-ransomware-emerges-from-bitpaymers-code/
• https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/
• https://beta.documentcloud.org/documents/20428892-doppelpaymer-fbi-pin-on-dec-10-2020

Other Information

Uuid

9e088fdc-e4b7-4ab2-b7b5-8b85b4f7b8b8

Last Card Change

2025-06-27