{
	"id": "09113683-9118-4583-8189-a210c794c19b",
	"created_at": "2026-04-06T00:21:14.897593Z",
	"updated_at": "2026-04-10T03:20:22.727618Z",
	"deleted_at": null,
	"sha1_hash": "1cc77f9344bb3ad42d9cbd8232627273610a599a",
	"title": "DoppelPaymer Continues to Cause Grief Through Rebranding | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 505097,
	"plain_text": "DoppelPaymer Continues to Cause Grief Through Rebranding |\r\nZscaler\r\nBy Brett Stone-Gross\r\nPublished: 2021-07-28 · Archived: 2026-04-05 20:22:37 UTC\r\nIn early May 2021, DoppelPaymer ransomware activity dropped significantly. Although the DoppelPaymer leak\r\nsite still remains online, there has not been a new victim post since May 6, 2021. In addition, no victim posts have\r\nbeen updated since the end of June. This lull is likely a reaction to the Colonial Pipeline ransomware attack which\r\noccurred on May 7, 2021. However, the apparent break is due to the threat group behind DoppelPaymer\r\nrebranding the ransomware under the name Grief (aka Pay OR Grief). An early Grief ransomware (aka Pay or\r\nGrief) sample  was compiled on May 17, 2021. This sample is particularly interesting because it contains the Grief\r\nransomware code and ransom note, but the link in the ransom note points to the DoppelPaymer ransom portal.\r\nThis suggests that the malware author may have still been in the process of developing the Grief ransom portal.\r\nRansomware threat groups often rebrand the name of the malware as a diversion. An example Grief ransom note\r\ncan be found in the ThreatLabz GitHub repository here. \r\nIn this blog, we will compare the similarities between DoppelPaymer and Grief ransomware. Both ransomware\r\nleak sites are nearly identical, including shared code that displays a captcha to prevent automated crawling as\r\nshown in Figure 1.\r\nFigure 1. Grief ransomware (left) and DoppelPaymer (right) captcha\r\nThe main landing page has changed the term latest proofs to griefs in progress and latest leaks to complete griefs.\r\nThe victim-specific leak page layouts are also identical as shown below in Figure 2 containing the victims URL,\r\norganizational description, images of stolen data, example stolen data files, and a list of machines that were\r\ncompromised.\r\nhttps://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding\r\nPage 1 of 3\n\nFigure 2. Grief ransomware (left) and DoppelPaymer (right) victim leak pages\r\nThe Grief ransom portal has some differences from the DoppelPaymer portal. In particular, the ransom demand\r\npayment method is made in Monero (XMR) instead of Bitcoin (BTC). This switch in cryptocurrencies may be in\r\nresponse to the FBI recovering part of the Colonial Pipeline ransom payment. The Grief ransom portal, however,\r\nkept the same live chat code that allows victims to resume a previous conversation or to start a new conversation\r\nas shown in Figure 3.\r\nFigure 3. Grief ransomware (left) and DoppelPaymer (right) victim ransom portals\r\nGrief ransomware portal and leak site also attempts to weaponize the European Union’s General Data Protection\r\nRegulation (GDPR) to pressure businesses into paying a ransom to avoid potential fines.\r\nThe malware code differences between DoppelPaymer and Grief are also relatively minimal. Grief samples\r\nremoved the embedded ProcessHacker binaries. However, Grief still retains the code to decrypt data from the\r\nbinary’s .sdata section. The Grief string encryption algorithm is similar to DoppelPaymer, except the RC4 key was\r\nincreased from a length of 40 bytes to 48 bytes. The vast majority of the two codebases are very similar with\r\nidentical encryption algorithms (2048-bit RSA and 256-bit AES), import hashing, and entry point offset\r\ncalculation.\r\nConclusion\r\nGrief ransomware is the latest version of DoppelPaymer ransomware with minor code changes and a new\r\ncosmetic theme. The threat group has been very active since the release of Grief in the middle of May 2021.\r\nHowever, they have been successful in maintaining a low profile so far. This is in light of recent high-profile\r\nhttps://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding\r\nPage 2 of 3\n\nattacks including the Colonial Pipeline hack by Darkside ransomware and the Kaseya supply-chain attack by\r\nREvil.\r\nIndicators of Compromise (IOCs)\r\nThe following IOCs can be used to detect Grief ransomware.\r\nSamples\r\nSHA256 Hash Module Name\r\nb5c188e82a1dad02f71fcb40783cd8b910ba886acee12f7f74c73ed310709cd2 Grief ransomware sample\r\n91e310cf795dabd8c51d1061ac78662c5bf4cfd277c732385a82f181e8c29556 Grief ransomware sample\r\ndda4598f29a033d2ec4f89f4ae687e12b927272462d25ca1b8dec4dc0acb1bec Grief ransomware sample\r\n0864575d4f487e52a1479c61c2c4ad16742d92e16d0c10f5ed2b40506bbc6ca0 Grief ransomware sample\r\nb21ad8622623ce4bcdbf8c5794ef93e2fb6c46cd202d70dbeb088ea6ca4ff9c8\r\nGrief ransomware sample\r\n(early build)\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding\r\nhttps://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding"
	],
	"report_names": [
		"doppelpaymer-continues-cause-grief-through-rebranding"
	],
	"threat_actors": [],
	"ts_created_at": 1775434874,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1cc77f9344bb3ad42d9cbd8232627273610a599a.pdf",
		"text": "https://archive.orkl.eu/1cc77f9344bb3ad42d9cbd8232627273610a599a.txt",
		"img": "https://archive.orkl.eu/1cc77f9344bb3ad42d9cbd8232627273610a599a.jpg"
	}
}