DoppelPaymer Operators Set Up New Site to Expose Victims’ Files

Operators behind the new file-encrypting DoppelPaymer ransomware are now following the name-and-shame tactic pioneered by cybercriminals of the Maze ransomware. According to reports, operators of the new virus set up a website called “Dopple Leaks” on Feb 25, where they publish the stolen files of their non-paying victims.

According to Techdator, operators of the virus have started leaking the data of their victims that have either refused to pay the ransom or didn’t make it to the deadline.

Among the victims that were exposed in the site included the Mexican state-owned oil company Pemex, which refused to pay the demanded 568 bitcoins in November 2019; a merchant account company from the USA, who didn’t provide the needed 15 bitcoins to the hackers; a South-African logistics & supply chain firm, which was initially asked to pay a ransom of about 50 bitcoins; and a French telecommunication and cloud services provider, which also failed to respond to the original ransom of about 35 bitcoins.

DoppelPaymer Operators Set Up New Site

According to a report from Bleeping Computer, the group behind the attacks has described the site to still be in “test mode.” The criminals also disclosed that the data stolen from Pemex were only a large amount of “still unsorted” files, while those that are stolen from the other three are relatively fewer as there was “nothing interesting.”

“They stated that they do plan on performing more data exfiltration now that this site has been created,” the report added.

First discovered in June of 2019, DoppelPaymer Ransomware takes its name from BitPaymer, another type of malware that demonstrates large portions of similar code as the former.

In an earlier report from Bleeping Computer, CrowdStrike researchers said they have observed a few parallelisms between DoppelPaymer and BitPaymer, especially in their payment portal. And although both differ in terms of encryption schemes, the fact that that they share significant amounts of code hints that there’s a connection between the two.

“Both BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have been identified in June and July 2019. The parallel operations, coupled with the significant code overlap between BitPaymer and DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation,” researchers from CrowdStrike explained.

To date, Bleeping Computer continues to advise companies to treat ransomware attacks like data breaches and become transparent about data theft.