{
	"id": "28627046-4037-4ddf-8a65-de5fca96b1ae",
	"created_at": "2026-04-06T00:21:50.749762Z",
	"updated_at": "2026-04-10T13:12:03.905973Z",
	"deleted_at": null,
	"sha1_hash": "89df581576a10b6396827f1645d7c84e524a3305",
	"title": "DoppelPaymer Ransomware Launches Site to Post Victim's Data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1144517,
	"plain_text": "DoppelPaymer Ransomware Launches Site to Post Victim's Data\r\nBy Lawrence Abrams\r\nPublished: 2020-02-25 · Archived: 2026-04-05 14:58:19 UTC\r\nThe operators of the DoppelPaymer Ransomware have launched a site that they will use to shame victims who do not pay a\r\nransom and to publish any files that were stolen before computers were encrypted.\r\nA new extortion method started by the Maze Ransomware is to steal files before encrypting them and then use them as\r\nleverage to get victims to pay the ransom.\r\nIf a ransom is not paid, then the ransomware operators release the stolen files on a public 'news' site to expose the victim to\r\ngovernment fines, lawsuits, and the risk of the attack being classified as a data breach.\r\nhttps://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nSoon after starting this tactic, other ransomware families including Sodinokibi, Nemty, and DoppelPaymer have stated that\r\nthey would begin this practice as well.\r\nDopplePaymer launches public leak site\r\nToday, the operators of the DoppelPaymer Ransomware have followed in Maze's footsteps and launched a site called\r\n'Dopple Leaks' that will be used to leak files and shame non-paying victims.\r\nDoppelPaymer is an enterprise-targeting ransomware that compromises a corporate network, eventually gains access to\r\nadmin credentials, and then deploys the ransomware on the network to encrypt all devices. As these attacks encrypt\r\nhundreds, if not thousands, of devices, they tend to have a huge impact on operators and the attackers demand a very large\r\nransom.\r\nThe ransomware operators state they have created this site as a threat to victims that if they do not pay, their data and names\r\nwill be leaked by the attackers.\r\nThe 'Dopple Leaks' Site\r\nThe ransomware operators have told BleepingComputer that this new site is in \"test mode\" and is currently being used\r\nmostly for shaming their victims and to publish a few files that were stolen from victims.\r\nhttps://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/\r\nPage 3 of 5\n\nPemex information on the DoppelPaymer site\r\nCurrently listed on this page are four companies that DoppelPaymer claims to have encrypted and who did not pay the\r\nransom.\r\nOther than Pemex, BleepingComputer will only share descriptions of the other listed companies and the demanded ransoms\r\nthat were shared with us by the DoppelPaymer operators.\r\nA merchant account company based out of USA with a ransom amount of 15 bitcoins (~$150K).\r\nA French cloud hosting and enterprise telecommunications company with a ransom of 35 bitcoins (~$330K)\r\nA logistics \u0026 supply chain company based out of South Africa was encrypted on January 20th, 2020 with a ransom\r\namount of 50 bitcoins (~$500K).\r\nMexico's state-owned oil company Pemex was attacked by DoppelPaymer on November 10th, 2019. The attackers\r\ndemanded 568 bitcoins ($4.9 million at the time) for a decryptor.\r\nOf all the sites, DoppelPaymer told us that they only stole a large amount of \"still unsorted\" files from Pemex.\r\nFor the other three companies, they only stole a few files because there was \"nothing interesting\" or because \"it was not our\r\ngoal\".\r\nThey stated that they do plan on performing more data exfiltration now that this site has been created.\r\nTreat ransomware attacks like data breaches!\r\nBleepingComputer has repeatedly stated that ransomware attacks have to be treated like data breaches.\r\nFor years, it is has been a well-known secret that ransomware attackers are looking through and stealing victim's files before\r\nencrypting computers and then threatening to release them.\r\nIt was not until recently, though, that ransomware operators have followed through with their threats.\r\nNow that they are doing so and more ransomware operators are getting on board, companies need to be transparent about the\r\ndata theft and treat these attacks like data breaches.\r\nThis is because it is not only corporate data being stolen, but also vendor and client data and the personal information of\r\nemployees.\r\nhttps://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/\r\nPage 4 of 5\n\nTransparency is more important now than ever and hiding these attacks is putting their employees at long-term risk as their\r\ndata is exposed to identity theft and fraud.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/\r\nhttps://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/"
	],
	"report_names": [
		"doppelpaymer-ransomware-launches-site-to-post-victims-data"
	],
	"threat_actors": [],
	"ts_created_at": 1775434910,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/89df581576a10b6396827f1645d7c84e524a3305.pdf",
		"text": "https://archive.orkl.eu/89df581576a10b6396827f1645d7c84e524a3305.txt",
		"img": "https://archive.orkl.eu/89df581576a10b6396827f1645d7c84e524a3305.jpg"
	}
}