Blue Hexagon Blog

Ransomware Families – DoppelPaymer

DoppelPaymer was first identified in July 2019 as being a possible variant of BitPaymer. 

DoppelPaymer is delivered through phishing emails and malicious email attachments. 

Ransom amounts vary from 2 Bitcoin to 100 Bitcoin (almost 1,000,000 USD) and the ransom note contains a URL for a TOR payment portal.

Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorythm .
Backups were cither encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
DO NOT use any recovery software with restoring files overwriting encrypted.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at your personal page:
1. Download and install Tor Browser: https://www.torproject.org/download/
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar:
{unique url}
4. Follow the instructions on the site
5. You should get in contact in 48 HOURS since your systems been infected.
6. The link above is valid for 7 days.
After that period if you not get in contact
your local data would be lost completely.
The faster you get in contact – the lower price you can expect.

DoppelPaymer follows Maze Ransomware in that it exfiltrated data from the victim and threatens to publish the stolen data if the ransom is not paid. Doppel Leaks was created by the group to publish victim data. 

If you are interested in learning about other Ransomware families that we have published research reports on you can read more here