Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

DoppelPaymer Ransomware Information

    • Updated:
    • 18 Jan 2021
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector 3.5
    • Deep Discovery Inspector 5.5
    • Deep Security 12.0
    • InterScan Messaging Security Suite 9.1
    • Interscan Web Security Suite 6.5
    • Interscan Web Security Suite 6.5
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Advanced 10.0
    • Worry-Free Business Security Standard 10.0
    • Platform:
Summary

DoppelPaymer is believed to be based on the BitPaymer Ransomware (which first appeared in 2017) due to similarities in their code, ransom notes, and payment portals. It is important to note, however, that there are some differences between DoppelPaymer and BitPaymer. For example, DoppelPaymer uses 2048-bit RSA + 256-bit AES for encryption, while BitPaymer uses 4096-bit RSA + 256-bit AES (with older versions using 1024-bit RSA + 128-bit RC4). Furthermore, DoppelPaymer improves upon BitPaymer’s rate of encryption by using threaded file encryption.

Behavior

  • Deletes Shadow Volume Copy
  • Maintains persistence on the targeted machine
  • Terminates processes
  • Stops services
  • Delete itself after execution

Capabilities

  • File Encryption
  • Disabling usage capability

Impact

  • Data loss - loss of important files, documents and other data upon encryption
  • Financial loss - users are asked to pay in order to decrypt files that were affected

Infection Routine

Current infection flow based on available data and research regarding other variants/incidents related to DoppelPaymer :

Details
Public

File Reputation

Detection/Policy/RulesPattern Branch/VersionRelease Date / Last Update
Ransom.Win32.DOPPELPAYMER.TGACAR Pattern available in OPR 16.456.00August 08, 2020
Ransom.Win32.DOPPELPAYMER.TGACAQ Pattern available in OPR 16.456.00January 4, 2021
Ransom.Win32.DOPPELPAYMER.TGACAP Pattern available in OPR 16.456.00January 4, 2021
Ransom.Win32.DOPPELPAYMER.MPattern available in OPR 16.158.00August 11, 2020
Ransom.Win32.DOPPELPAYMER.acPattern available in OPR 16.193.00August 28, 2020

Predictive Machine Learning

DetectionPattern Branch/Version
Troj.Win32.TRX.XXPE50FFF036In-the-Cloud

Sandbox Detection

DetectionPattern Branch/Version
VAN_RANSOMWARESandbox Behavior

Solution Map - What should customers do?

Trend Micro SolutionMAJOR PRODUCTSLATEST VERSIONSVIRUS PATTERNANTISPAM PATTERNNETWORK PATTERNBEHAVIOR MONITORINGPREDICTIVE MACHINE LEARNINGWEB REPUTATION
Endpoint SecurityApex One2019Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Behavior Monitoring and update pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console
OfficeScanXG (12.0)Not Applicable
Worry-Free Business SecurityStandard (10.0)
Advanced (10.0)Update pattern via web console
Hybrid Cloud SecurityDeep Security12Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Behavior Monitoring and update pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console
Email and Gateway SecurityDeep Discovery Email Inspector3.5Update pattern via web consoleUpdate pattern via web consoleUpdate pattern via web consoleNot ApplicableNot ApplicableEnable Web Reputation Service and update pattern via web console
InterScan Messaging Security9.1Not Applicable
InterScan Web Security6.5
ScanMail for Microsoft Exchange14
Network SecurityDeep Discovery Inspector5.5Update pattern via web consoleNot ApplicableUpdate pattern via web consoleNot ApplicableNot ApplicableEnable Web Reputation Service and update pattern via web console

Recommendation

Make sure to always use the latest pattern available to detect the old and new variants of DoppelPaymer Ransomware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.

Make sure to implement the ransomware protection features and best practices. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.

You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.

For support assistance, please contact Trend Micro Technical Support.

Threat Report

Blog

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000283898
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.