ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Doppel Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Doppel Spider

NamesDoppel Spider (CrowdStrike)
Gold Heron (SecureWorks)
Grief Group (self given)
CountryRussia Russia
MotivationFinancial gain
First seen2019
Description(CrowdStrike) CrowdStrike Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture.

We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by Indrik Spider. However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of Indrik Spider have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation.

DoppelPaymer has been observed to be distributed by Smoke Loader (operated by Smoky Spider) and Emotet (operated by Mummy Spider, TA542).
ObservedSectors: Government, Manufacturing.
Countries: Austria, Brazil, Canada, Chile, Dominican Republic, France, Germany, Greece, Italy, Mexico, Portugal, Spain, Switzerland, Thailand, UK, USA.
Tools usedCobalt Strike, DoppelPaymer, Grief.
Operations performedFeb 2020The DoppelPaymer Ransomware is the latest family threatening to sell or publish a victim's stolen files if they do not pay a ransom demand.
<https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid/>
Mar 2020Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay
<https://www.theregister.co.uk/2020/04/10/lockheed_martin_spacex_ransomware_leak/>
Jun 2020DopplePaymer ransomware gang claims to have breached DMI, a major US IT and cybersecurity provider, and one of NASA IT contractors.
<https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/>
Aug 2020UK research university Newcastle University says that it will take several weeks to get IT services back online after DoppelPaymer ransomware operators breached its network and took systems offline on the morning of August 30th.
<https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-hits-newcastle-university-leaks-data/>
Sep 2020Death occurred after a patient was diverted to a nearby hospital after the Duesseldorf University Hospital suffered a ransomware attack.
<https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/>
Oct 2020On October 7th, Hall County in Georgia announced that they had suffered a ransomware attack that impacted their networks and phone systems.
<https://www.bleepingcomputer.com/news/security/georgia-county-voter-information-leaked-by-ransomware-gang/>
Nov 2020Compal, the second-largest laptop manufacturer in the world, hit by ransomware
<https://www.zdnet.com/article/compal-the-second-largest-laptop-manufacturer-in-the-world-hit-by-ransomware/>
Nov 2020MasterChef, Big Brother producer hit by DoppelPaymer ransomware
<https://www.bleepingcomputer.com/news/security/masterchef-big-brother-producer-hit-by-doppelpaymer-ransomware/>
Dec 2020Foxconn electronics giant hit by ransomware, $34 million ransom
<https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/>
Feb 2021Kia Motors America suffers ransomware attack, $20 million ransom
<https://www.bleepingcomputer.com/news/security/kia-motors-america-suffers-ransomware-attack-20-million-ransom/>
Apr 2021Breach of the Illinois Attorney General’s Office
<https://illinoisattorneygeneral.gov/pressroom/2021_04/20210413.html>
Jul 2021DoppelPaymer ransomware gang rebrands as the Grief group
<https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-gang-rebrands-as-the-grief-group/>
Sep 2021Ransomware gang threatens to wipe decryption key if negotiator hired
<https://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-wipe-decryption-key-if-negotiator-hired/>
Sep 2021Grief Gang’s New Quadruple Extortion Scheme Doesn’t Change the Game
<https://www.cybereason.com/blog/grief-gangs-new-quadruple-extortion-scheme-doesnt-change-the-game>
Oct 2021Grief Ransomware Gang Claims 41 New Victims, Targeting Manufacturers; Municipalities; & Service Companies in U.K. & Europe
<https://www.esentire.com/security-advisories/grief-ransomware-gang-claims-41-new-victims-targeting-manufacturers-municipalities-service-companies-in-u-k-europe>
Oct 2021NRA: No comment on Russian ransomware gang attack claims
<https://www.bleepingcomputer.com/news/security/nra-no-comment-on-russian-ransomware-gang-attack-claims/>
Counter operationsFeb 2023Germany and Ukraine hit two high-value ransomware targets
<https://www.europol.europa.eu/media-press/newsroom/news/germany-and-ukraine-hit-two-high-value-ransomware-targets>
Sep 2023DoppelPaymer ransomware group suspects identified
<https://www.malwarebytes.com/blog/news/2023/09/doppelpaymer-ransomware-group-suspects-identified>
Information<https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/>
<https://lifars.com/2019/11/from-dridex-to-bitpaymer-ransomware-to-doppelpaymerthe-evolution/>
<https://www.bleepingcomputer.com/news/security/new-doppelpaymer-ransomware-emerges-from-bitpaymers-code/>
<https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/>
<https://beta.documentcloud.org/documents/20428892-doppelpaymer-fbi-pin-on-dec-10-2020>

Last change to this card: 12 October 2023

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]