Cybersecurity Snapshots #17 - DoppelPaymer Ransomware Gang
Cybersecurity Snapshots #17 -
DoppelPaymer Ransomware Gang
In a new report, McAfee researchers discovered that from Q3 to Q4 of 2020, the number of ransomware incidents that affected organizations rose 69%. In 2020 the FBI put out a warning of increased activity of a ransomware gang called DoppelPaymer. DoppelPaymer was behind a few high-profile attacks in 2020. DoppelPaymer cybergang first appeared in 2019 as an offshoot of the cybercrime operation called Evil Corp. According to researchers at CrowdStrike, the DoppelPaymer gang demands ransoms of $25,000 to $1.2 million in bitcoin.
In November 2019, Mexico's state-owned oil company PEMEX (PetrĂ³leos Mexicanos) suffered a DoppelPaymer ransomware attack. The gang asked for $4.9 million worth of bitcoins as a ransom for decrypting files. PEMEX did not pay the ransom. The FBI stated that in 2020 the DoppelPaymer gang was behind an attack on an unidentified U.S. county. The ransomware operators compromised a 911 center and made changes that prevented police and other officials from accessing the county's computer-aided dispatch system. The ransomware forced emergency services to revert to manual operations. In another attack by the cyber gang, they were able to infect the network of a German hospital, leading to one patient being transported 20 miles away for treatment. The FBI also says DoppelPaymer is believed to have compromised the networks of several community colleges in the United States in 2020. Newcastle University had also suffered a cyberattack conducted by the DoppelPaymer ransomware gang in 2020. The threat actors stole 750Kb worth of data and posted it on their data leak site "Dopple Leaks." They caused so much damage to the school's systems that it took several weeks to get the system running back to normal.
The DoppelPaymer gang, like other ransomware gangs, deploys double extortion tactics to pressure victims into paying up. Double extortion tactics are where they encrypt victims' files to make them inaccessible and threaten to leak confidential data if their demands are not met. Double extortion tactics first started appearing in late 2019, becoming an increasingly common trend through 2020. DoppelPaymer is one of the first ransomware gangs where they call the victims to entice payments. During a warning put out by the FBI, they claimed that in one case, a member of the DoppelPaymer gang used a spoofed US-based telephone number while claiming to be located in North Korea, and threatened to leak or sell data from an identified business if the business did not pay the ransom. During subsequent telephone calls to the same company, the actor threatened to send an individual to an employee's home and provided the employee's home address. The actor also called several of the employee's relatives.
DoppelPaymer is believed to be based on the BitPaymer ransomware (which first appeared in 2017) due to similarities in their code, ransom notes, and payment portals. There are some key differences between DoppelPaymer and BitPaymer, however. For example, DoppelPaymer uses 2048-bit RSA + 256-bit AES for encryption, while BitPaymer uses 4096-bit RSA + 256-bit AES (with older versions using 1024-bit RSA + 128-bit RC4). Furthermore, DoppelPaymer improves upon BitPaymer's rate of encryption by using threaded file encryption. Another difference between the two is that before DoppelPaymer executes its malicious routines, it needs to have the correct command-line parameter. The researchers found that the samples that they encountered have different parameters for different samples. The researchers believe that this technique is possibly used by the attackers to avoid detection via sandbox analysis and to help prevent security researchers from studying the samples. Another unique aspect of DoppelPaymer is its use of a tool called Process Hacker, which it uses to terminate services and processes related to security, email server, backup, and database software to impair defenses and prevent access violation during encryption.
The DoppelPaymer gang usually starts off with network infiltration via malicious spam emails containing spear-phishing links or attachments designed to lure unsuspecting users into executing malicious code. This code is responsible for downloading other malware with more advanced capabilities (such as Emotet) into the victim's system. Once Emotet is downloaded, it will communicate with its Command-and-Control (C&C) server to install various modules and download and execute other malware. In one campaign, researchers found that the C&C server was used to download and execute the Dridex malware family, which in turn was used to download either DoppelPaymer directly or tools such as PowerShell Empire, Cobalt Strike, PsExec, and Mimikatz. These tools are used for various activities, such as stealing credentials, moving laterally inside the network, and executing different commands, such as disabling security software. Once Dridex enters the system, the threat actors do not immediately deploy the ransomware. Instead, they try to move laterally within the affected system's network to find a high-value target to steal critical information. Once this target is found, Dridex will proceed in executing its final payload, DoppelPaymer. DoppelPaymer encrypts files located in the network as well as fixed and removable drives in the affected system. Finally, DoppelPaymer will change user passwords before forcing a system restart into safe mode to prevent user entry from the system. It then adjusts the notice text that appears before Windows proceeds to the login screen. The new notice text is now DoppelPaymer's ransom note, which warns users not to reset or shut down the system, as well as not to delete, rename, or move the encrypted files. The note also contains a threat that their sensitive data will be shared to the public if they do not pay the ransom that is demanded from them. DoppelPaymer will also drop the Process Hacker executable, its driver, and a stager DLL. DoppelPaymer will create another instance of itself that executes the dropped Process Hacker. Once Process Hacker is running, it will load the stager DLL via DLL Search Order Hijacking. Stager DLL will listen/wait for a trigger from the running DoppelPaymer process. DoppelPaymer has a crc32 list of processes and services it will terminate. If a process or service in its list is running, it will trigger the Process Hacker to terminate it.
The DoppelPaymer ransomware gang is expected to be more active in 2021. Security researchers suggest that organizations protect themselves from ransomware such as DoppelPaymer by ensuring that security best practices are in place. The researchers recommend that individuals should refrain from opening unverified emails, clicking on any embedded links or attachments in these messages, and regularly back up important files using the 3-2-1 rule. The 3-2-1 rule is when an individual creates three backup copies in two different file formats, with one of the backups in a separate physical location. One should also update both software and applications with the latest patches as soon as possible to protect them from vulnerabilities. The researchers also suggest monitoring inbound and outbound network traffic, with alerts for data exfiltration in place.