{
	"id": "0b856e8d-928b-4ddd-9709-f15183293540",
	"created_at": "2026-04-06T00:15:01.513728Z",
	"updated_at": "2026-04-10T03:34:16.730833Z",
	"deleted_at": null,
	"sha1_hash": "74bf5572d577d3f8c96379fecde7f14bb801580a",
	"title": "Grief Ransomware Gang Claims 41 New Victims, Targeting Manufacturers; Municipalities; \u0026 Service Companies in U.K. \u0026 Europe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1116816,
	"plain_text": "Grief Ransomware Gang Claims 41 New Victims, Targeting\r\nManufacturers; Municipalities; \u0026 Service Companies in U.K. \u0026\r\nEurope\r\nArchived: 2026-04-05 23:10:43 UTC\r\nGrief Operators Earned an Estimated 8.5 Million British Pounds in Four Months\r\nKey Findings:\r\nThe Grief Ransomware Gang (a rebrand of the DoppelPaymer Ransomware Group) claims to have infected\r\n41 new victims between May 27, 2021—Oct. 1, 2021 with their ransomware.\r\nOver half the companies listed on Grief’s underground leak site are based in the U.K. and Europe. The\r\nGrief Ransomware Gang appears to have altered its Motus Operandi (MO), targeting more corporate and\r\npublic entities in the U.K. and Europe than the United States. They also seem to be backing away from\r\nU.S. hospitals and emergency healthcare services, previously a top target for them.\r\nGrief Victims in U.K. and Europe include a variety of manufacturers:\r\nthose producing machinery for railways, sea harbours and shipyards\r\nmanufacturers of food and beverages\r\nmanufacturers of heavy construction materials \r\nmanufacturers of fluid handling equipment for the oil and gas industry and the food industry\r\nmanufacturers of computer hardware\r\nmanufacturers of wood products\r\nmanufacturers of feed for livestock\r\nOther U.K. and European-based Grief Victims include:\r\na national network of pharmacies\r\nmunicipalities in Europe, including the second largest city in Greece, Thessaloniki. This city has\r\nover a million residents and reported on July 23, 2021, that it had to shut down all city services. A\r\nlarge government district in Germany, comprised of 10 towns and 2 municipalities.\r\nlarge producers/growers of fruits and vegetables\r\ndairy producers\r\nproviders of food services and hospitality services\r\nThe Grief Gang has earned an estimated £8.39M (approximately £2.1 million per month), equaling €9.86M\r\nand $11.4M USD.\r\nMany of the corporations, municipalities and educational institutions listed on Grief’s leak site, have not\r\nbeen made public. NOTE: eSentire does not name ransomware victims unless the victim organisation\r\nhas made it public, or it has appeared in the news.\r\nThe Grief hackers include on their leak site company name, web address and various documents reportedly\r\nbelonging to the organisation. The Grief Gang posts these documents to serve as proof that they have\r\ncompromised the organisations. The Grief gang also uses the exposed documents as a way of pressuring\r\nhttps://www.esentire.com/security-advisories/grief-ransomware-gang-claims-41-new-victims-targeting-manufacturers-municipalities-service-companies-in-u-k-europe\r\nPage 1 of 8\n\nthe victims to pay. It serves as a warning, that should the victims decide not to pay, Grief will expose more\r\nsensitive information. eSentire’s Threat Response Unit (TRU) found that the documents exposed, many of\r\nthem financial and HR- type documents, appear to be authentic.\r\nObservations of the Grief Gang’s Activities from Rob McLeod, VP of Threat\r\nResponse Unit (TRU)--eSentire\r\n“The Biden administration has increased pressure on other nations, primarily Russia, to rein in the cybercrime\r\ngroups operating out of their jurisdictions. This focused attention could be the reason why the Grief Ransomware\r\nGang is shifting their attention away from North America to target businesses and municipal governments in other\r\nwealthy Western markets, specifically the U.K. and Europe.”\r\n“The history of cybercrime is filled with examples where a threat group pretends to shut down and another one,\r\nwith clear similarities in techniques, malware and targets, emerges a few months or even weeks after. We saw\r\nDoppelPaymer cease posting victims to their leak site in May, and suddenly the Grief ransomware leak site\r\nappears in June. If history is any guide, then businesses and government organisations (particularly, regional and\r\nlocal municipalities) in the U.K. and Europe should be on high alert. Already, more than half of Grief's victims are\r\nbased in these markets.”\r\n“The TRU team found that among the 41 Grief victims, 5 are municipalities and one is a large government district\r\nconsisting of 10 towns and 2 municipalities. That the Grief actors attacked such organisations doesn’t surprise us,\r\nas this sector was a favorite target when the group went under the DoppelPaymer banner. Municipalities feels\r\nintense, immediate, and public pressure when their services are disrupted. The urgent need to restore services is a\r\nstrong motivator to pay off attackers. Likewise, providing services is an essential requirement of a functioning\r\ngovernment at all levels.”\r\nNote: Both municipal governments and educational institutions have been profitable for other ransomware groups,\r\nsuch as the Conti/Ryuk ransomware gang, which collected over a $1,000,000 from just three small U.S.\r\nmunicipalities prior to 2021. These included Jackson County, Georgia, which paid a $400,000 ransom; Riviera\r\nBeach, Florida, which paid $594,000; and LaPorte County, Indiana, which paid $130,000. \r\neSentire believes Grief Group is a rebrand of DoppelPaymer Ransomware Group\r\nGrief Operators Earned an Estimated 8.5 Million British Pounds in Four Months\r\nThe Grief Ransomware Gang (aka: PayOrGrief) claims to have infected 41 new victims between May 27, 2021—\r\nOct. 1, 2021, with their ransomware, according to eSentire’s security research team, the Threat Response Unit\r\n(TRU). Cybersecurity researchers, including TRU, believe the Grief Group is merely a rebrand of the\r\nDoppelPaymer Ransomware Group. In its May 2021 Ransomware Report, eSentire found that the DoppelPaymer\r\nGang was one of the most active ransomware groups, claiming to have infected 186 companies and public entities\r\nbetween 2019 and May 1, 2021. DoppelPaymer is considered one of the top ransomware groups, coming in just\r\nbehind the Sodin/REvil, Conti/Ryuk, Black Matter (formerly Darkside) and CLOP groups.\r\nhttps://www.esentire.com/security-advisories/grief-ransomware-gang-claims-41-new-victims-targeting-manufacturers-municipalities-service-companies-in-u-k-europe\r\nPage 2 of 8\n\nWhen the Grief Group emerged on the ransomware scene at the end of May, TRU began tracking their activity\r\nand found that for the past four months they have been targeting multi-national corporations (especially\r\nmanufacturers), municipalities, service organisations and school districts. Their victims are located across Europe,\r\nthe U.K., the U.S. and Central America. However, TRU has observed that the Grief Ransomware Gang (formerly\r\nDoppelPaymer) has increased its focus on organisations in Europe and the U.K. specifically.\r\nOf the 41 victims named by Grief, 22 of them are headquartered out of Europe or the U.K. The victims include\r\nnumerous manufacturers, including those producing machinery for railways, sea harbours and shipyards,\r\nmanufacturers of food and beverages; a manufacturer of fluid handling equipment for the oil and gas industry and\r\nthe food industry; a manufacturer of computers, etc. Other victims include a national network of pharmacies,\r\nnumerous municipalities, including Thessaloniki, the second largest city in Greece with over a million residents\r\nand a government district in Germany, containing 10 separate towns and 2 municipalities.\r\nVictims Named on Grief Leak Site (based in U.K. and Europe):\r\nprominent producer of wine \u0026 champagne (France)\r\nmanufacturer of metal products (Italy)\r\nmanufacturer of wood products (Austria)\r\nlarge national chain of retail pharmacies (Italy)\r\nmanufacturer of lumber and other construction materials (France)\r\nlongtime provider of hospitality services (U.K.)\r\nlarge manufacturer of cranes used for harbours and shipyards (Germany)\r\na large manufacturer of machines used for maintaining railroads and a provider of railroad maintenance\r\nservices (Switzerland)\r\na global supplier and manufacturer of solutions and fluid-handling equipment for the Oil \u0026 Gas and Food\r\nindustry (France)\r\na prominent global developer and manufacturer of computer hardware and IT solutions (Austria)\r\na longtime manufacturer of feeds for animals (U.K.)\r\na designer, developer, and manufacturer of high- end kitchen and bedroom furniture (U.K.)\r\nThessaloniki, the second largest city in Greece. Thessaloniki has over a million residents (Greece)\r\na municipality in Italy (Italy)\r\na decades-old catering services company providing catering to the public and private sectors (Portugal)\r\na municipality north of Paris (France)\r\nan international developer and manager of oil palm and rubber plantations (France)\r\na mid-size, modern manufacturer of food products, specialising in high-volume quality production,\r\ndistributing their food products to major retailers, foodservice and manufacturing customers throughout the\r\nU.K. Europe and Middle East (U.K.)\r\na manufacturer of food products for packaged foods, as well as fresh food, including a variety of meats\r\n(France)\r\na large dairy producer (Austria)\r\na government district consisting of 10 towns and two municipalities (Germany)\r\na producer of fruits and vegetables and manufacturer of specialty foods (Spain)\r\nhttps://www.esentire.com/security-advisories/grief-ransomware-gang-claims-41-new-victims-targeting-manufacturers-municipalities-service-companies-in-u-k-europe\r\nPage 3 of 8\n\nOther Grief Victims:\r\nan IT company specialized in cloud computing, data centers, IT outsourcing, service desk, and IT\r\nmanagement (Brazil)\r\na financial services company (Canada)\r\ntwo municipalities (U.S.)\r\nfive separate school districts (U.S.)\r\na provider of mental health and substance abuse rehabilitation services (U.S.)\r\na corporation made up of businesses in the hospitality and transit industry (Dominican Republic)\r\na large cotton cooperative (U.S.)\r\na company which produces vegetables and fruits, with operations in California and Mexico (U.S.)\r\na medical practice focused on dermatology and facial plastic surgery (U.S.)\r\na manufacturer of ingredients for dessert making (Mexico)\r\na 50-year-old + architectural, planning and interior design firm providing services to clients throughout the\r\nU.S. and internationally (U.S.)\r\na large car and truck dealership (U.S.)\r\nImage1: Matisa Materiel Industrial S.A, a victim of Grief, is a Swiss company that has been in business for over\r\n70 years. Matisa Materiel Industrial S.A. manufactures rail maintenance machines and provides associated rail\r\nservices.\r\nhttps://www.esentire.com/security-advisories/grief-ransomware-gang-claims-41-new-victims-targeting-manufacturers-municipalities-service-companies-in-u-k-europe\r\nPage 4 of 8\n\nImage 2: Matisa Materiel posts an announcement on their website about being attacked by ransomware.\r\nPotential Earnings of the Grief Ransomware Gang –June 1 to Oct. 1, 2021\r\nGrief claims to have hit 41 victims in just four months. Palo Alto’s research team found that the average\r\nransomware payment is up 82% in the first half of 2021, coming in at a record $570,000. Using the $570,000\r\nransom amount, and conservatively assuming only half of the purported Grief victims paid the ransom, the total\r\nransoms potentially earned by the Grief operators in just four months is approximately £8.39M equal to €9.86M\r\nor equal to $11.4M USD. That averages out at approximately £2.1 million per month.\r\nWhile we don’t know if all the manufacturers, municipalities, school systems and other entities, Grief claims as\r\nvictims were compromised, typically eSentire does not see top ransomware operators, like Grief, fake a victim.\r\nAnd we do know that ransomware gangs are making plenty of money. A survey by Veritas Technologies found\r\nthat 66% of victims admitted to paying part or all the ransom, and cybersecurity company Emisoft estimated that\r\nthe true global cost of ransomware, including business interruption and ransom payments in 2020, was a minimum\r\nof $42bn and a maximum of nearly $170bn. As we reported in our May 2021 Ransomware Report and it remains\r\ntrue, the victim organisations we hear about publicly are nominal compared to the actual ransomware incidents.\r\nU.K. Cybersecurity Breaches Increase in 2021. Ransomware Incidents Increase Worldwide\r\nAs the United States applies pressure to other nations to rein in cybercrime gangs operating from within their\r\nborders, TRU is observing attackers increasingly targeting other wealthy Western nations in the United Kingdom\r\nand Europe.\r\nhttps://www.esentire.com/security-advisories/grief-ransomware-gang-claims-41-new-victims-targeting-manufacturers-municipalities-service-companies-in-u-k-europe\r\nPage 5 of 8\n\nCyber Security Breaches Survey 2021, the most recent edition of a survey-driven report published annually by the\r\nU.K. government, found that, “Four in ten businesses (39%) and a quarter of charities (26%) report having cyber\r\nsecurity breaches or attacks in the last 12 months.” Other investigations found broadly consistent results. In\r\nAugust 2021 Computer Weekly reported that, “Accompanying the dramatic increase in ransomware attacks,\r\norganisations have also experienced a 29% increase in the number of cyberattacks globally, with the highest\r\ngrowth seen in the Europe Middle East and Africa (EMEA) region,” at 36%.\r\nDespite the well-documented increase in all kinds of cyberattacks—particularly ransomware—what is quite\r\nworrisome is another statistic brought out in the U.K. Cyber Security Breaches Survey. The authors of the survey\r\nreported, “fewer businesses are now deploying security monitoring tools (35% vs. 40% last year), and fewer\r\nbusinesses are undertaking any form of user monitoring (32% vs. 38%).” The survey’s authors suggest that these\r\ndecreases could be due to the added complexity of monitoring tools and employees in work-from-home\r\nenvironments (the 2020 report was based on pre-pandemic data, while 2021 was based on data and interviews\r\nspanning October 2020 to January 2021).\r\nRansomware operators, especially, have become very successful in recent years due in large part to a maturing\r\ncybercrime ecosystem of specialised services. The risk of real consequences for their actions is low, while the\r\nrewards are high, driving year-over-year increases of 93% in the number of ransomware incidents between 2020\r\nand 2021, according to a report by Check Point Software and an 82% increase in the average ransom payment to\r\n$570,000, according to Palo Alto. These two trends converge to create a ransomware market in which victims\r\nworldwide paid ransomware gangs more than $350M in cryptocurrency alone in 2020. Unfortunately, a portion of\r\nthese proceeds are reinvested into the ransomware ‘machine’ to fund an assortment of cybercrime operations,\r\nincluding research and development and—of course—more attacks.\r\nWhile ransom payments to restore services and extortion payments to prevent the release of stolen information\r\ndominate headlines, the costs to victim organisations also include:\r\nThe opportunity cost of redirecting scarce IT and security resources in response to the incident\r\nLoss of business or production due to service outages\r\nReputational cost (which may have a long-lasting impact)\r\nPotential regulatory and contractual penalties\r\nCosts associated with third-party incident responders and investigators\r\nConsequently, an attack need not generate revenue for the attacker for it to be incredibly costly for the victim\r\norganisations—so focusing on ransom and extortion payments alone substantially undercounts the true cost of\r\ncyberattacks.\r\nGrief Hackers Taunt their Victims\r\nThe Grief hackers seem to enjoy taunting their victims. On Grief’s underground leak site, they prominently post\r\nthe victim company’s name, company details and sample data stolen from the organisations. Ironically, the Grief\r\ngang also prominently displays various statistics around the cost of a data breach to a company, such as\r\n“Did you know that the cost of downtime is 10x higher than the ransom requested (per incident)?”\r\nhttps://www.esentire.com/security-advisories/grief-ransomware-gang-claims-41-new-victims-targeting-manufacturers-municipalities-service-companies-in-u-k-europe\r\nPage 6 of 8\n\nThey display another cost statistic, from the Varonis 2018 Global Data Risk Report, on their leak site which reads:\r\n“The average cost of a data breach in 2017 was over $3.5 million.”\r\nAnd they cite on their leak site, almost verbatim a portion of Article #33 of the General Data Protection\r\nRegulation (GDPR) rules:\r\n“In the event of a personal data breach, data controllers, should notify the appropriate supervisory authority\r\nwithout undue delay and, where feasible, not later than 72 hours after having become aware of it…” See image 3.\r\nIn September, the Grief threat actors showed real displeasure about victims bringing in professional negotiators,\r\npublishing the following an edict on their leak site:\r\n\"We wanna play a game. If we see professional negotiator from Recovery Company™ - we will just destroy the\r\ndata. Recovery Company™ as we mentioned above will get paid either way. The strategy of Recovery\r\nCompany™ is not to pay requested amount or to solve the case but to stall. So we have nothing to loose in this\r\ncase. Just the time economy for all parties involved. What will this Recovery Companies™ earn when no ransom\r\namount is set and data simply destroyed with zero chance of recovery? We think - millions of dollars. Clients will\r\nbring money for nothing. As usual.\" --- Grief ransomware gang.\r\nEssentially, the Grief operators are saying that if a victim hires a negotiator, they will delete the victim's\r\ndecryption key, making it impossible to recover their files.\r\nImage 3: Grief’s Dark Web leak site where the ransomware gang names and shames some of their purported\r\nvictims. They also flaunt statistics relating to the costs of a data breach, the cost of paying a ransom, as opposed\r\nto having a company’s entire operation go down.\r\nThe Grief, DoppelPaymer, BitPaymer Connection\r\nhttps://www.esentire.com/security-advisories/grief-ransomware-gang-claims-41-new-victims-targeting-manufacturers-municipalities-service-companies-in-u-k-europe\r\nPage 7 of 8\n\nThe DoppelPaymer ransomware group emerged in 2019 and is widely believed to be based on the BitPaymer\r\nransomware, due to similarities in code, ransom notes, and payment portals. In December 2020, the FBI issued a\r\nPrivate Industry Notification (PIN), DoppelPaymer Ransomware Attacks on Critical Infrastructure Impact Critical\r\nServices, warning that “Since late August 2019, unidentified actors have used DoppelPaymer ransomware to\r\nencrypt data from victims within critical industries worldwide such as healthcare, emergency services, and\r\neducation, interrupting citizens’ access to services.”\r\nAnd although the Grief Ransomware Gang (DoppelPaymer) does seem to have backed off U.S. hospitals and\r\nhealthcare organisationss (perhaps they do not want to capture the unwanted attention and potential serious\r\nrepercussions from U.S. President Biden and U.S. law enforcement, like we saw with DarkSide and REvil/Sodin),\r\nit is clear with their current victim list, that the Grief Gang is determined to continue targeting municipalities, both\r\nin Europe and the U.S. and educational institutions in the U.S.\r\nIf you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you\r\npartner with us for security services to disrupt threats before they impact your business. Connect with an eSentire\r\nSecurity Specialist.\r\nSource: https://www.esentire.com/security-advisories/grief-ransomware-gang-claims-41-new-victims-targeting-manufacturers-municipalities-s\r\nervice-companies-in-u-k-europe\r\nhttps://www.esentire.com/security-advisories/grief-ransomware-gang-claims-41-new-victims-targeting-manufacturers-municipalities-service-companies-in-u-k-europe\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.esentire.com/security-advisories/grief-ransomware-gang-claims-41-new-victims-targeting-manufacturers-municipalities-service-companies-in-u-k-europe"
	],
	"report_names": [
		"grief-ransomware-gang-claims-41-new-victims-targeting-manufacturers-municipalities-service-companies-in-u-k-europe"
	],
	"threat_actors": [
		{
			"id": "d555c5da-abe4-42aa-a8cf-77b68905891a",
			"created_at": "2022-10-25T16:07:23.548385Z",
			"updated_at": "2026-04-10T02:00:04.65211Z",
			"deleted_at": null,
			"main_name": "Doppel Spider",
			"aliases": [
				"Gold Heron",
				"Grief Group"
			],
			"source_name": "ETDA:Doppel Spider",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DoppelPaymer",
				"Pay OR Grief",
				"Pay or Grief",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434501,
	"ts_updated_at": 1775792056,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/74bf5572d577d3f8c96379fecde7f14bb801580a.pdf",
		"text": "https://archive.orkl.eu/74bf5572d577d3f8c96379fecde7f14bb801580a.txt",
		"img": "https://archive.orkl.eu/74bf5572d577d3f8c96379fecde7f14bb801580a.jpg"
	}
}