Since the attack on Colonial Pipeline, the ransomware threat group DoppelPaymer began to go silent and did not post any new victims to their leak site. Researchers originally speculated that the group had taken a step back for the news of high-profile ransomware attacks to subside. Now, researchers at Zscaler have pointed out that after analyzing the Grief ransomware, the connection between the two makes it hard to dismiss the similarities. Grief was first discovered in June and was believed to be a new Ransomware-as-a-Service (RaaS). Researchers stated that the two have the same encrypted file format and used the same distribution channel, the Dridex botnet. The two also share the same code that implements identical encryption algorithms (2048-bit RSA and 256-bit AES), import hashing, entry point offset calculation, and the fear of GDPR fines. Things that separate DoppelPaymer and Grief are mostly cosmetic, and researchers are fairly certain that this is the same Ransomware that was seen before with DoppelPaymer.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased