top of page

Agile Collaboration

Public·103 members
David Sanchez
David Sanchez

Dopple Leaks Website Launched By DopplePaymer Ransomware To Publish Victim Data

DopplePaymer ransomware has been used to encrypt data from victims within critical industries worldwide such as healthcare, emergency services and education since August 2019, disrupting public access to these services, according to the FBI cyber division.

Dopple Leaks website launched by DopplePaymer Ransomware to publish victim data

Download File:

Initially, threat actors solely used ransomware-related malware to restrict access to user data by encrypting files on individual or organizational devices. In return for the decryption key, victims were required to pay a ransom in Bitcoin. The malware at the time typically spread via malspam, also known as malicious spam. Malspam is a prevalent and effective method for delivering emails in bulk containing a malicious link or an infected document. Once a victim has opened the file, a macro runs in the background and infects your devices with a piece of malware designed to encrypt files. If you don't pay the ransom or don't have a set of backups, you lose all data on the device.

And once again, since some victims had adequately trained their staff or refused payment because they took precautions and had backups, threat actors began to develop additional ways to put added pressure on their victims. In 2019, ransomware groups DopplePaymer and Maze did just that by doubling down and exfiltrating victim data. Thus, if victims decided not to pay the initial ransom because they had backups, they were threatened with the release of sensitive financial, customer, or personnel data. Unfortunately, this type of double extortion has become more frequent over the last two years, primarily because threat actors view exfiltration as a backup plan in the event their victims decide not to pay for decryption keys.

Today, there may be close to a dozen or more ransomware groups on the dark web that leak sensitive files to prove that data was stolen. The leak is often amplified when the media picks up on it, and the world soon learns about the latest ransomware victim. In the case of Apple, a journalist wrote an article about what devices were coming out based on leaked content, creating extreme pressure on Apple to protect its intellectual property. This raised the question about whether a journalist who covers revealed information is helping threat actors to apply pressure on the victim.

So, what can we do to prevent additional layers of pressure by ransomware groups? Not much, to be honest. Eventually, due to resistance of the threat actors' current TTP and failure to pay, ransomware groups will find new ways to pressure their victims into paying. There is too much profit involved for threat actors to walk away. In the beginning, you could survive a ransomware attack with adequate backups. But then the exfiltration of data made backups alone inadequate. Now, even if you believe you can withstand the public exposure of your sensitive data, you must also be able to protect your network against a DDoS attack. What's next?

The DopplePaymer Ransomware team is one of several ransomware gangs that also deal with data leaks. They periodically publish the data of hacked companies and require money from attacked companies, threating to made information public.

This ransomware tactic has been used since December 2019, but today it seems that cybercriminals have moved to a new level: the ransomware operators REvil (Sodinokibi) launched an auction site similar to eBay, where they are going to sell the stolen data of the victims.

Typically, malware such as DoppelPaymer ransomware encrypts files with strong algorithms, and thus it is impossible for victims to decrypt data without specific tools held only by the developers of the ransomware. Unfortunately, even if cyber criminals have these tools, they tend not to send them - victims who pay are generally scammed.

Update February 4, 2020 - Crooks have released an updated version of DoppelPaymer ransomware which is virtually the same. The main difference is threats that are written on its website. Originally, developers claimed that they've stolen some data and will make it public unless the ransom is paid.

Update February 27, 2020 - The developers of DoppelPaymer ransomware have recently started leaking information stolen from various victims. The data is stored in a public website named "Dopple Leaks" hosted in the Tor network:

This, however, is rare. In most cases, ransomware infections deliver more direct messages simply stating that data is encrypted and that victims must pay some sort of ransom. Note that ransomware-type infections typically generate messages with different file names (for example, "_readme.txt", "READ-ME.txt", "DECRYPTION_INSTRUCTIONS.txt", "DECRYPT_FILES.html", etc.). Therefore, using the name of a ransom message may seem like a good way to identify the infection. The problem is that most of these names are generic and some infections use the same names, even though the delivered messages are different and the infections themselves are unrelated. Therefore, using the message filename alone can be ineffective and even lead to permanent data loss (for example, by attempting to decrypt data using tools designed for different ransomware infections, users are likely to end up permanently damaging files and decryption will no longer be possible even with the correct tool).

Encryption algorithms used by most ransomware-type infections are extremely sophisticated and, if the encryption is performed properly, only the developer is capable of restoring data. This is because decryption requires a specific key, which is generated during the encryption. Restoring data without the key is impossible. In most cases, cybercriminals store keys on a remote server, rather than using the infected machine as a host. Dharma (CrySis), Phobos, and other families of high-end ransomware infections are virtually flawless, and thus restoring data encrypted without the developers' involvement is simply impossible. Despite this, there are dozens of ransomware-type infections that are poorly developed and contain a number of flaws (for example, the use of identical encryption/decryption keys for each victim, keys stored locally, etc.). Therefore, always check for available decryption tools for any ransomware that infiltrates your computer.

If the victim does not adhere to the rules, the victim can even be threatened by them to leak the sensitive data to third parties for illegal purposes. Ransomware is all over the world, evolving with new variants frequently. Any computer system which does not have adequate preventive measures is vulnerable to ransomware attacks.

The decision to pay or not pay for the ransomware depends on how critical and urgent the data is. Sometimes, the decision to pay the ransom may be the worst idea because news by Kaspersky revealed that over half of the victims pay the ransom, but only a quarter of victims were able to get their data returned.


Welcome to the group! You can connect with other members, ge...


bottom of page