DopplePaymer, in almost every documented case, is dropped by Dridex before encrypting a network. Dridex, a banking trojan that is also used as a delivery mechanism for other malware, often deploys DoppelPaymer to increase the payout for high-value targets. This news comes on the heels of other high-profile attacks on local governments within the past few months.
After Dridex has landed in an environment, the threat actors typically use Mimikatz on systems on which they have local administrator or SYSTEM level access to gather user credentials and tokens from memory, then use those credentials to move laterally across the affected enterprise network. Because of the ease of gathering credentials this way, ransomware offers a low effort to payout ratio compared to Dridex’s method of injecting code into webpages through browsers to steal online banking credentials.
Taking steps to block Mimikatz with measures such as removing Windows debug permissions from administrator accounts, enabling LSASS protections, disabling wdigest, disabling credential caching, and utilizing the “Protected Users” AD group are all best practices to reduce the damage that attackers can do and increase the time that defenders have to detect an intrusion by forcing the attacker to attempt several methods of gaining administrator access. Leveraging credential guard can all create barriers to prevent attackers from effectively using Mimkatz to gather credentials. If the visibility is available, looking for anomalous processes that have gained debug privileges can also detect these kinds of attacks. Catching attacks early through continuous monitoring and response by skilled analysts in a Security Operations Center is the last, best line of defense against cyber threats.