DoppelPaymer Ransomware Shows Ties to BitPaymer

What Is It?

Researchers from CrowdStrike have recently detailed their findings into a new ransomware variant they have named DoppelPaymer.

The ransomware began in June 2019 with victims including government attacks on the Ministry of Agriculture of Chile and the Texas city of Edcouch. In the case of Edcouch, city officials stated their backups were also encrypted. Ransom amounts of 2, 40 and 100 bitcoin have been observed, the latter currently equivalent to almost US$1 million.

Researchers found numerous similarities with previous versions of BitPaymer ransomware, leading them to believe DoppelPaymer is based on earlier BitPaymer source code and then modified and improved. It is possible that one or more members of the so-called Indrik Spider group have formed their own attack group. Indrik Spider first released BitPaymer ransomware in August 2017 after gaining notoriety for releasing the Dridex banking trojan.

One of the DoppelPaymer improvements is that the file encryption now utilizes multiple threads, allowing it to simultaneously encrypt a number of files, therefore taking less time to fully encrypt an infected system’s files. DoppelPaymer also includes a mechanism designed to defeat automated behavioral malware analysis, such as that used by legacy anti-virus vendors.

The malware will only execute correctly if the correct command line parameter is passed. It calculates a checksum of the first parameter passed and adds it to a hard-coded value, it then uses this as the location within the code to begin executing from. The malware will crash if the parameter is incorrect or missing. Researchers found the hard-coded value is different with each variant.

DoppelPaymer also utilizes the legitimate ProcessHacker utility, which is contained and encrypted within the DoppelPaymer sample. It uses ProcessHacker to terminate processes that might stop it from successfully encrypting files. To again make reverse engineering of the sample more difficult, the names of these processes are stored as checksums. They include various backup processes, numerous Microsoft Exchange processes, Dropbox and the processes of several security products, such as Cylance, McAfee, MalwareBytes, Avast, Fortinet and NOD32.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. However, DoppelPaymer will encrypt files on shared drives. The most common attack vector for most ransomware is social engineering, either as malicious attachments or downloads performed by malicious documents. The Dridex 2.0 sample was distributed by Emotet malware and was included by the researchers due to the links to the Indrik Spider group.

When/How Did BluVector Detect It?

One sample each of DoppelPaymer and Dridex 2.0 were listed by CrowdStrike researchers and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown the DoppelPaymer sample would have been detected 57 months prior to its release and the Dridex 2.0 sample 66 months prior.

All Threat Reports