{ "id": "bbc05438-1a4f-472f-9a95-bb96ccfb23c2", "created_at": "2026-04-06T00:15:34.351445Z", "updated_at": "2026-04-10T13:11:39.833452Z", "deleted_at": null, "sha1_hash": "17f64af379917668c33aaeb4289106c31dc7a692", "title": "Customer Guidance for the Dopplepaymer Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42304, "plain_text": "Customer Guidance for the Dopplepaymer Ransomware\r\nBy simon-pope\r\nPublished: 2019-11-20 · Archived: 2026-04-05 14:07:11 UTC\r\nMicrosoft has been investigating recent attacks by malicious actors using the Dopplepaymerransomware. There is\r\nmisleading information circulating about Microsoft Teams, along with references to RDP (BlueKeep), as ways in\r\nwhich this malware spreads. Our security research teams have investigated and found no evidence to support these\r\nclaims. In our investigations we found that the malware relies on remote human operators using existing Domain\r\nAdmin credentials to spread across an enterprise network.\r\nWe want to help businesses and governments around the world better protect themselves from these attacks.\r\nProtection from Dopplepaymer and other malware is already available for customers using Windows Defender,\r\nand we will continue to enhance these protections as we identify new emerging threats.\r\nGlobally, ransomware continues to be one of the most popular revenue channels for cybercriminals as part of a\r\npost-compromise attack. They tend to target enterprise environments through methods like social engineering,\r\nenticing an employee to click a link to visit an infected site, and opening downloaded or emailed infected\r\ndocuments and programs on their computers.\r\nSecurity administrators should view this threat as additional motivation to enforce good credential hygiene, least\r\nprivilege, and network segmentation. These best practices can help prevent Dopplepaymer operators and other\r\nattackers from disabling security tools and using privileged credentials to destroy or steal data or hold it for\r\nransom.\r\nMore information on ransomware and how to stay safe online is available here.\r\n— Mary Jensen and Dan West, Senior Security Program Managers, MSRC\r\nBlueKeep\r\nDoppepaymer\r\nMalware\r\nMicrosoft Teams\r\nRansomware\r\nRDP\r\nSource: https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/\r\nhttps://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/" ], "report_names": [ "customer-guidance-for-the-dopplepaymer-ransomware" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434534, "ts_updated_at": 1775826699, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/17f64af379917668c33aaeb4289106c31dc7a692.pdf", "text": "https://archive.orkl.eu/17f64af379917668c33aaeb4289106c31dc7a692.txt", "img": "https://archive.orkl.eu/17f64af379917668c33aaeb4289106c31dc7a692.jpg" } }