Detection/Policy/Rules

Pattern Branch/Version

Release Date / Last Update

Ransom.Win32.DOPPELPAYMER.TGACAR

Pattern available in OPR 16.456.00

August 08, 2020

Ransom.Win32.DOPPELPAYMER.TGACAQ

Pattern available in OPR 16.456.00

January 4, 2021

Ransom.Win32.DOPPELPAYMER.TGACAP

Pattern available in OPR 16.456.00

January 4, 2021

Ransom.Win32.DOPPELPAYMER.M

Pattern available in OPR 16.158.00

August 11, 2020

Ransom.Win32.DOPPELPAYMER.ac

Pattern available in OPR 16.193.00

August 28, 2020

Detection

Pattern Branch/Version

Troj.Win32.TRX.XXPE50FFF036

In-the-Cloud

Detection

Pattern Branch/Version

VAN_RANSOMWARE

Sandbox Behavior

Trend Micro Solution

MAJOR PRODUCTS

LATEST VERSIONS

VIRUS PATTERN

ANTISPAM PATTERN

NETWORK PATTERN

BEHAVIOR MONITORING

PREDICTIVE MACHINE LEARNING

WEB REPUTATION

Endpoint Security

Apex One

2019

Update pattern via web console

Not Applicable

Update pattern via web console

Enable Behavior Monitoring and update pattern via web console

Enable Predictive Machine Learning

Enable Web Reputation Service and update pattern via web console

OfficeScan

XG (12.0)

Not Applicable

Worry-Free Business Security

Standard (10.0)

Advanced (10.0)

Update pattern via web console

Hybrid Cloud Security

Deep Security

Update pattern via web console

Not Applicable

Update pattern via web console

Enable Behavior Monitoring and update pattern via web console

Enable Predictive Machine Learning

Enable Web Reputation Service and update pattern via web console

Email and Gateway Security

Deep Discovery Email Inspector

3.5

Update pattern via web console

Not Applicable

Enable Web Reputation Service and update pattern via web console

InterScan Messaging Security

9.1

Not Applicable

InterScan Web Security

6.5

ScanMail for Microsoft Exchange

Network Security

Deep Discovery Inspector

5.5

Update pattern via web console

Not Applicable

Update pattern via web console

Not Applicable

Enable Web Reputation Service and update pattern via web console

DoppelPaymer Ransomware Information

Product / Version includes:

Deep Discovery Email Inspector 3.5 , Interscan Web Security Suite 6.5 , OfficeScan XG , Apex One 2019 , InterScan Messaging Security Suite 9.1 , Worry-Free Business Security Advanced 10.0 , Worry-Free Business Security Standard 10.0 , ScanMail for Exchange 14.0 , Deep Discovery Inspector 5.5 , Deep Security 12.0

Last updated: 2025/05/08

Solution ID: KA-0011383

Category: Remove a Malware / Virus

Summary

DoppelPaymer is believed to be based on the BitPaymer Ransomware (which first appeared in 2017) due to similarities in their code, ransom notes, and payment portals. It is important to note, however, that there are some differences between DoppelPaymer and BitPaymer. For example, DoppelPaymer uses 2048-bit RSA + 256-bit AES for encryption, while BitPaymer uses 4096-bit RSA + 256-bit AES (with older versions using 1024-bit RSA + 128-bit RC4). Furthermore, DoppelPaymer improves upon BitPaymer’s rate of encryption by using threaded file encryption.

Behavior

Deletes Shadow Volume Copy
Maintains persistence on the targeted machine
Terminates processes
Stops services
Delete itself after execution

Capabilities

File Encryption
Disabling usage capability

Impact

Data loss - loss of important files, documents and other data upon encryption
Financial loss - users are asked to pay in order to decrypt files that were affected

Infection Routine

Current infection flow based on available data and research regarding other variants/incidents related to DoppelPaymer :

File Reputation

Detection/Policy/Rules	Pattern Branch/Version	Release Date / Last Update
Ransom.Win32.DOPPELPAYMER.TGACAR	Pattern available in OPR 16.456.00	August 08, 2020
Ransom.Win32.DOPPELPAYMER.TGACAQ	Pattern available in OPR 16.456.00	January 4, 2021
Ransom.Win32.DOPPELPAYMER.TGACAP	Pattern available in OPR 16.456.00	January 4, 2021
Ransom.Win32.DOPPELPAYMER.M	Pattern available in OPR 16.158.00	August 11, 2020
Ransom.Win32.DOPPELPAYMER.ac	Pattern available in OPR 16.193.00	August 28, 2020

Predictive Machine Learning

Detection	Pattern Branch/Version
Troj.Win32.TRX.XXPE50FFF036	In-the-Cloud

Sandbox Detection

Detection	Pattern Branch/Version
VAN_RANSOMWARE	Sandbox Behavior

Solution Map - What should customers do?

Trend Micro Solution	MAJOR PRODUCTS	LATEST VERSIONS	VIRUS PATTERN	ANTISPAM PATTERN	NETWORK PATTERN	BEHAVIOR MONITORING	PREDICTIVE MACHINE LEARNING	WEB REPUTATION
Endpoint Security	Apex One	2019	Update pattern via web console	Not Applicable	Update pattern via web console	Enable Behavior Monitoring and update pattern via web console	Enable Predictive Machine Learning	Enable Web Reputation Service and update pattern via web console
	OfficeScan	XG (12.0)			Not Applicable
	Worry-Free Business Security	Standard (10.0)
	Worry-Free Business Security	Advanced (10.0)		Update pattern via web console
Hybrid Cloud Security	Deep Security	12	Update pattern via web console	Not Applicable	Update pattern via web console	Enable Behavior Monitoring and update pattern via web console	Enable Predictive Machine Learning	Enable Web Reputation Service and update pattern via web console
Email and Gateway Security	Deep Discovery Email Inspector	3.5	Update pattern via web console	Update pattern via web console	Update pattern via web console	Not Applicable	Not Applicable	Enable Web Reputation Service and update pattern via web console
	InterScan Messaging Security	9.1			Not Applicable
	InterScan Web Security	6.5
	ScanMail for Microsoft Exchange	14
Network Security	Deep Discovery Inspector	5.5	Update pattern via web console	Not Applicable	Update pattern via web console	Not Applicable	Not Applicable	Enable Web Reputation Service and update pattern via web console

Recommendation

Make sure to always use the latest pattern available to detect the old and new variants of DoppelPaymer Ransomware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.

Make sure to implement the ransomware protection features and best practices. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.

You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.

For support assistance, please contact Trend Micro Technical Support.

Threat Report

Blog

Trend Micro Blog: An Overview of the DoppelPaymer Ransomware

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

DoppelPaymer Ransomware Information

DoppelPaymer Ransomware Information

Product / Version includes:

Summary