DoppelPaymer is believed to be based on the BitPaymer Ransomware (which first appeared in 2017) due to similarities in their code, ransom notes, and payment portals. It is important to note, however, that there are some differences between DoppelPaymer and BitPaymer. For example, DoppelPaymer uses 2048-bit RSA + 256-bit AES for encryption, while BitPaymer uses 4096-bit RSA + 256-bit AES (with older versions using 1024-bit RSA + 128-bit RC4). Furthermore, DoppelPaymer improves upon BitPaymer’s rate of encryption by using threaded file encryption.
Behavior
- Deletes Shadow Volume Copy
- Maintains persistence on the targeted machine
- Terminates processes
- Stops services
- Delete itself after execution
Capabilities
- File Encryption
- Disabling usage capability
Impact
- Data loss - loss of important files, documents and other data upon encryption
- Financial loss - users are asked to pay in order to decrypt files that were affected
Infection Routine
Current infection flow based on available data and research regarding other variants/incidents related to DoppelPaymer :
File Reputation
Detection/Policy/Rules | Pattern Branch/Version | Release Date / Last Update |
---|---|---|
Ransom.Win32.DOPPELPAYMER.TGACAR | Pattern available in OPR 16.456.00 | August 08, 2020 |
Ransom.Win32.DOPPELPAYMER.TGACAQ | Pattern available in OPR 16.456.00 | January 4, 2021 |
Ransom.Win32.DOPPELPAYMER.TGACAP | Pattern available in OPR 16.456.00 | January 4, 2021 |
Ransom.Win32.DOPPELPAYMER.M | Pattern available in OPR 16.158.00 | August 11, 2020 |
Ransom.Win32.DOPPELPAYMER.ac | Pattern available in OPR 16.193.00 | August 28, 2020 |
Predictive Machine Learning
Detection | Pattern Branch/Version |
---|---|
Troj.Win32.TRX.XXPE50FFF036 | In-the-Cloud |
Sandbox Detection
Detection | Pattern Branch/Version |
---|---|
VAN_RANSOMWARE | Sandbox Behavior |
Solution Map - What should customers do?
Trend Micro Solution | MAJOR PRODUCTS | LATEST VERSIONS | VIRUS PATTERN | ANTISPAM PATTERN | NETWORK PATTERN | BEHAVIOR MONITORING | PREDICTIVE MACHINE LEARNING | WEB REPUTATION |
---|---|---|---|---|---|---|---|---|
Endpoint Security | Apex One | 2019 | Update pattern via web console | Not Applicable | Update pattern via web console | Enable Behavior Monitoring and update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
OfficeScan | XG (12.0) | Not Applicable | ||||||
Worry-Free Business Security | Standard (10.0) | |||||||
Advanced (10.0) | Update pattern via web console | |||||||
Hybrid Cloud Security | Deep Security | 12 | Update pattern via web console | Not Applicable | Update pattern via web console | Enable Behavior Monitoring and update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
Email and Gateway Security | Deep Discovery Email Inspector | 3.5 | Update pattern via web console | Update pattern via web console | Update pattern via web console | Not Applicable | Not Applicable | Enable Web Reputation Service and update pattern via web console |
InterScan Messaging Security | 9.1 | Not Applicable | ||||||
InterScan Web Security | 6.5 | |||||||
ScanMail for Microsoft Exchange | 14 | |||||||
Network Security | Deep Discovery Inspector | 5.5 | Update pattern via web console | Not Applicable | Update pattern via web console | Not Applicable | Not Applicable | Enable Web Reputation Service and update pattern via web console |
Recommendation
Make sure to always use the latest pattern available to detect the old and new variants of DoppelPaymer Ransomware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
Make sure to implement the ransomware protection features and best practices. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
For support assistance, please contact Trend Micro Technical Support.
Threat Report
- Threat Encyclopedia: Ransom.Win32.DOPPELPAYMER.AC
- Threat Encyclopedia: Ransom.Win32.DOPPELPAYMER.M
- Threat Encyclopedia: Ransom.Win32.DOPPELPAYMER.TGACAP
- Threat Encyclopedia: Ransom.Win32.DOPPELPAYMER.TGACAR
- Threat Encyclopedia: Ransom.Win32.DOPPELPAYMER.TGACAQ
Blog