Threat Watch

DoppelPaymer Ransomware Rebranded as Grief

Since the attack on Colonial Pipeline, the ransomware threat group DoppelPaymer began to go silent and did not post any new victims to their leak site. Researchers originally speculated that the group had taken a step back for the news of high-profile ransomware attacks to subside. Now, researchers at Zscaler have pointed out that after analyzing the Grief ransomware, the connection between the two makes it hard to dismiss the similarities. Grief was first discovered in June and was believed to be a new Ransomware-as-a-Service (RaaS). Researchers stated that the two have the same encrypted file format and used the same distribution channel, the Dridex botnet. The two also share the same code that implements identical encryption algorithms (2048-bit RSA and 256-bit AES), import hashing, entry point offset calculation, and the fear of GDPR fines. Things that separate DoppelPaymer and Grief are mostly cosmetic, and researchers are fairly certain that this is the same Ransomware that was seen before with DoppelPaymer.

ANALYST NOTES

Ransomware groups rebranding is not a new tactic. Ransomware groups use this tactic to avoid government sanctions, in which certain countries have banned ransomware payments for specific groups. Grief has more than 24 victims listed on their leak site showing that the threat group has been busy working infecting victims. Ransomware continues to infect new organizations and entities with many groups still posting new victims to their leak sites. Companies should have defenses in place to mitigate these attacks when they happen. It is advised to regularly back up data as well as password-protect backups. Utilizing a monitoring service such as Binary Defenses Managed Detection and Response can also help identify attacks quickly and help mitigate them.

https://www.bleepingcomputer.com/news/security/grief-ransomware-operation-is-doppelpaymer-rebranded/