Breach Response Hotline, Call 833.997.7327

Contact Us

Breach Response Hotline, Click to Call

Contact Us

Day 6: DoppelPaymer/Grief Ransomware

Common Attack Vectors

  • Phishing/Spam Emails

Vulnerabilities Exploited

  • Active Directory
  • Software/Applications patch exploits
  • Citrix ADC
  • Windows Service configuration
  • Network Share Discovery

Industries Targeted Frequently

Healthcare

Threat actors target healthcare industries to steal patients' names, financial records, social security numbers, and other personal information.

Critical Infrastructure

Threat actors target critical infrastructure, impacting businesses that provide services to consumers and other organizations.

Education

Threat actors target education institutions stealing students' and employees' information including name, SSN, and addresses.

Manufacturing

Threat actors target manufacturing facilities to disrupt product distribution.

Recent Activity

DopplePaymer ransomware leaked numerous files from the Illinois Office of the Attorney General, including information from court cases and private documents, after officials refused the ransom demand.

DopplePaymer targeted a German hospital disrupting communication and general operations.

Grief ransomware stole data from the National Rifle Association including U.S. tax information and investments and posted them on their leak website.

Grief ransomware has threatened to delete victims’ data if the targeted companies call professional negotiators to help lower the ransom price for decryption tools.

Common File Extensions

.doppeled

.Grief

Known Aliases

  • BitPaymer
  • Grief
  • PayOrGrief
  • Pay or Grief

How DoppelPaymer/Grief Ransomware is Distributed

Both DoppelPaymer and Grief infiltrate the networks using malicious spam emails with spear-phishing links or attachments luring unsuspecting users to execute the malicious code disguised as a legitimate document. The code downloads other malware including Emotet with advanced capabilities into the victim’s system. Emotet will communicate with its command-and-control (C&C) server installing various modules and downloading and executing other malware. The C&C server downloads and executes the Dridex malware to move within the affected system’s network finding high-value targets to steal critical information. Once it finds a target, Dridex will deploy the DoppelPaymer ransomware encrypting files in the network as well as fixed and removable drives in the affected system. DoppelPaymer will change the user’s password before forcing the system to restart into safe mode preventing user entry from the system and changing the notice text that appears before Windows proceeds to the login screen.

ShadowSpear

SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.

24/7 Breach Response: US/CAN: 833.997.7327

Main Office: 800.236.6550

Email Us

1714 Deer Tracks Trail, Suite 150

St. Louis, MO 63131

Navigation

Connect With Us

Twitter Linkedin Facebook

©2024 SpearTip, LLC. All rights reserved.