{
	"id": "bc06826e-3294-4f49-b973-c81c8d0a3728",
	"created_at": "2026-04-06T00:21:36.546126Z",
	"updated_at": "2026-04-10T13:11:51.540915Z",
	"deleted_at": null,
	"sha1_hash": "21fc8477ab1010283e999fe1aa63a77dad16b8af",
	"title": "DoppelPaymer Ransomware Sells Victims' Data on Darknet if Not Paid",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 917280,
	"plain_text": "DoppelPaymer Ransomware Sells Victims' Data on Darknet if Not Paid\r\nBy Lawrence Abrams\r\nPublished: 2020-02-03 · Archived: 2026-04-05 17:38:02 UTC\r\nThe DoppelPaymer Ransomware is the latest family threatening to sell or publish a victim's stolen files if they do not pay a\r\nransom demand.\r\nA new tactic being used by ransomware operators that perform network-wide encryption is to steal a victim's files before\r\nencrypting any devices. They then threaten to publish or sell this data if the victim does not pay the ransom.\r\nThis new tactic started in November 2019 when Maze Ransomware publicly released stolen files belonging to Allied\r\nUniversal for not paying a ransom.\r\nhttps://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nSince then, Sodinokibi/REvil published stolen data and the Nemty Ransomware announced in their RaaS affiliate panel that\r\nthey would start doing it as well.\r\nIt is now DoppelPaymer's turn, who has told BleepingComputer that they have sold victim's data on the darknet in the past\r\nwhen they did not pay the ransom.\r\nDoppelPaymer claims to sell victim's data\r\nWhen looking at the DoppelPaymer Tor payment site, BleepingComputer noticed that they had recently started to tell\r\nvictims that they have stolen their data and will to publish or sell it if a ransom is not paid.\r\n\"Also we have gathered all your private sensitive data.\r\nSome sensetive information stolen from the file servers will be disclosed to public or sold to a re-seller if you decide not to\r\npay.\r\nIt will harm your business reputation.\"\r\nDoppelPaymer Tor Site\r\nRed box added by BleepingComputer\r\nIn emails with the DoppelPaymer Ransomware operators, the threat actors told BleepingComputer that for almost a year\r\nthey have been stealing data from their victims. They also claimed to have anonymously sold stolen files on the darknet in\r\nthe past when a victim chose not to pay the ransom.\r\nThis was done to \"cover some costs\".\r\nWhile DoppelPaymer told us that they have not publicly released stolen data as of yet, the Maze Ransomware operators\r\nhave shown that doing so will increase the number of payments.\r\n\"MAZE shown the world that success rates are increased after sharing some data\", DoppelPaymer told BleepingComputer.\r\nBased on the new threats on the Tor payment site, it appears that they plan on adopting this tactic soon as well.\r\nAs proof that they are stealing data, the DoppelPaymer operators shared two Excel spreadsheets containing a list of the\r\nWindows Domain users on two networks that they compromised.\r\nThey did not, though, share any of their victim's allegedly stolen files.\r\nRansomware attacks are now data breaches\r\nhttps://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid/\r\nPage 3 of 4\n\nWith ransomware operators now routinely stealing victim's data and publishing or selling it if not paid, ransomware attacks\r\nneed to be classified as data breaches.\r\nBased on the stolen data seen by BleepingComputer in recent ransomware extortion attempts, it is clear that sensitive and\r\nprivate information of not only businesses, but also employees, is being stolen and released.\r\nIt is now important that companies be transparent and report ransomware attacks so that all affected users, and not just the\r\ncompany, are protected from the leak of personal data.\r\nDoppelPaymer begins using a new extension\r\nRecent versions of the DoppelPaymer ransomware have also switched to a new dedicated .doppeled extension for encrypted\r\nfiles.\r\nBleepingComputer was told by the DoppelPaymer operators that this was done to make it easier for victims to know what\r\nransomware encrypted their network. \r\nAs DoppelPaymer is an offshoot of the BitPaymer ransomware, making this extension change makes it easier to differentiate\r\nbetween the two families.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid/\r\nhttps://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid/"
	],
	"report_names": [
		"doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid"
	],
	"threat_actors": [],
	"ts_created_at": 1775434896,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21fc8477ab1010283e999fe1aa63a77dad16b8af.pdf",
		"text": "https://archive.orkl.eu/21fc8477ab1010283e999fe1aa63a77dad16b8af.txt",
		"img": "https://archive.orkl.eu/21fc8477ab1010283e999fe1aa63a77dad16b8af.jpg"
	}
}