{
	"id": "ee886cae-c8ff-44bf-86be-f51157734a93",
	"created_at": "2026-04-06T00:13:34.293293Z",
	"updated_at": "2026-04-10T03:31:09.602014Z",
	"deleted_at": null,
	"sha1_hash": "4194c9d9510fb579ebe3148df1f8bf297f23f9a4",
	"title": "New DoppelPaymer Ransomware Emerges from BitPaymer's Code",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2836622,
	"plain_text": "New DoppelPaymer Ransomware Emerges from BitPaymer's Code\r\nBy Ionut Ilascu\r\nPublished: 2019-07-15 · Archived: 2026-04-05 19:15:16 UTC\r\nMalware researchers have discovered a new file-encrypting malware they dubbed DoppelPaymer that has been making\r\nvictims since at least mid-June, asking hundreds of thousands of US dollars in ransom.\r\nThe ransomware strain has at least eight variants that extended their feature set gradually, with the earliest one dating since\r\nApril.\r\nVictims in the public service sector\r\nDoppelPaymer takes its name from BitPaymer, with which it shares more than large portions of code. There are three\r\nconfirmed victims of this ransomware strain, which priced its decryption keys between 2 BTC and 100 BTC, say researchers\r\nfrom CrowdStrike.\r\nhttps://www.bleepingcomputer.com/news/security/new-doppelpaymer-ransomware-emerges-from-bitpaymers-code/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-doppelpaymer-ransomware-emerges-from-bitpaymers-code/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nBitcoin price in late April was around $5,150 and kept rising ever since, with lows well above the $7,000 mark and peaking\r\nabove $12,000 in late June and early July.\r\nOne of the victims is the City of Edcouch, Texas, which was left with a ransom note demanding 8 BTC to decrypt the data\r\non the affected computers.\r\nIt is unclear when the Edcouch administration was attacked, but city officials said that the amount converted to about\r\n$40,000. This makes it likely that the compromise happened in early May or before when bitcoin price stooped below\r\n$5,500.\r\nAnother victim was the Chilean Ministry of Agriculture, the researchers said in a report last week. The country's Computer\r\nSecurity Incident Response Team (CSIRT) confirmed on July 1 that a ransomware attack hit servers from a public service\r\nconnected to the Ministry of Agriculture.\r\nParallel extortion activity\r\nCrowdStrike researchers observed some striking similarities between DoppelPaymer's payment portal and the original one\r\nfor BitPaymer. One striking hint linking the two ransomware threats is the \"Bit paymer\" title at the top of the page but\r\nthey're similar all over.\r\nhttps://www.bleepingcomputer.com/news/security/new-doppelpaymer-ransomware-emerges-from-bitpaymers-code/\r\nPage 3 of 5\n\nAnother clue pointing to a connection between the two pieces of malware is that they \"share significant amounts of code.\"\r\nHowever, they have different encryption schemes.\r\nWhere DoppelPaymer combines 2048-bit RSA keys with 256-bit AES, the latest BitPaymer versions use 4096-bit RSA with\r\nthe same specification for symmetric encryption.\r\nAlso, there is standard AES encryption padding (PKCS#7) in DoppelPaymer while BitPaymer uses random bytes specified\r\nin a field called 'TAIL.'\r\nBy analyzing differences and similarities between the two, Brett Stone-Gross, Sergei Frankoff and Bex Hartley of\r\nCrowdStrike's research and threat intel team believe that the new ransomware strain may be the work of a BitPaymer group\r\nmember that started their own ransomware business.\r\n\"Both BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have\r\nbeen identified in June and July 2019. The parallel operations, coupled with the significant code overlap between BitPaymer\r\nand DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation.\" - CrowdStrike\r\nThe new ransomware includes modifications that make it superior to BitPaymer, such as threaded encryption process for a\r\nquicker operation.\r\nThe operators of BitPaymer are the same individuals behind the Dridex banking trojan, collectively known as the INDRIK\r\nSPIDER. They are former affiliates of the cybercriminal gang calling itself \"The Business Club.\"\r\nThe group is responsible for using the GameOver Zeus botnet (disrupted in 2014), believed to have infected over one\r\nmillion computers, and causing damages in excess of $100 million from business and financial institutions across the world.\r\nhttps://www.bleepingcomputer.com/news/security/new-doppelpaymer-ransomware-emerges-from-bitpaymers-code/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-doppelpaymer-ransomware-emerges-from-bitpaymers-code/\r\nhttps://www.bleepingcomputer.com/news/security/new-doppelpaymer-ransomware-emerges-from-bitpaymers-code/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-doppelpaymer-ransomware-emerges-from-bitpaymers-code/"
	],
	"report_names": [
		"new-doppelpaymer-ransomware-emerges-from-bitpaymers-code"
	],
	"threat_actors": [
		{
			"id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5",
			"created_at": "2022-10-25T16:47:55.740817Z",
			"updated_at": "2026-04-10T02:00:03.678203Z",
			"deleted_at": null,
			"main_name": "GOLD EVERGREEN",
			"aliases": [
				"The Business Club"
			],
			"source_name": "Secureworks:GOLD EVERGREEN",
			"tools": [
				"CryptoLocker",
				"JabberZeus",
				"Pony",
				"Zeus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9",
			"created_at": "2023-01-06T13:46:38.839083Z",
			"updated_at": "2026-04-10T02:00:03.117987Z",
			"deleted_at": null,
			"main_name": "INDRIK SPIDER",
			"aliases": [
				"Manatee Tempest"
			],
			"source_name": "MISPGALAXY:INDRIK SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434414,
	"ts_updated_at": 1775791869,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4194c9d9510fb579ebe3148df1f8bf297f23f9a4.pdf",
		"text": "https://archive.orkl.eu/4194c9d9510fb579ebe3148df1f8bf297f23f9a4.txt",
		"img": "https://archive.orkl.eu/4194c9d9510fb579ebe3148df1f8bf297f23f9a4.jpg"
	}
}