{
	"id": "519e3f09-f170-4f3f-b2a5-45d548678de1",
	"created_at": "2026-04-06T00:15:05.30875Z",
	"updated_at": "2026-04-10T13:12:08.543978Z",
	"deleted_at": null,
	"sha1_hash": "9cf0b062b9605106caa131a6836355dd29e332cc",
	"title": "An Overview of the DoppelPaymer Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46889,
	"plain_text": "An Overview of the DoppelPaymer Ransomware\r\nBy By: Trend Micro Research Jan 05, 2021 Read time: 4 min (1006 words)\r\nPublished: 2021-01-05 · Archived: 2026-04-05 17:08:53 UTC\r\nIn early December 2020, the FBI issued a warning regarding DoppelPaymer, a ransomware family that first appeared in\r\n2019 when it launched attacks against organizations in critical industries. Its activities have continued throughout 2020,\r\nincluding a spate of incidents in the second half of the year that left its victims struggling to properly carry out their\r\noperations.\r\nWhat is DoppelPaymer?\r\nDoppelPaymer is believed to be based on the BitPaymer ransomware (which first appeared in 2017) due to similarities in\r\ntheir code, ransom notes, and payment portals. It is important to note, however, that there are some differences between\r\nDoppelPaymer and BitPaymer. For example, DoppelPaymer uses 2048-bit RSA + 256-bit AES for encryption, while\r\nBitPaymer uses 4096-bit RSA + 256-bit AES (with older versions using 1024-bit RSA + 128-bit RC4). Furthermore,\r\nDoppelPaymer improves upon BitPaymer’s rate of encryption by using threaded file encryption.\r\nAnother difference between the two is that before DoppelPaymer executes its malicious routines, it needs to have the correct\r\ncommand-line parameter. Our experience with the samples that we encountered shows different parameters for different\r\nsamples. This technique is possibly used by the attackers to avoid detection via sandbox analysis as well as to prevent\r\nsecurity researchers from studying the samples.\r\nPerhaps the most unique aspect of DoppelPaymer is its use of a tool called Process Hacker, which it uses to terminate\r\nservices and processes related to security, email server, backup, and database software to impair defenses and prevent access\r\nviolation during encryption. in order to prevent access violation during encryption.\r\nLike many modern ransomware families, DoppelPaymer’s ransom demands for file decryption are sizeable, ranging\r\nanywhere from US$25,000 to US$1.2 million. Furthermore, starting in February 2020, the malicious actors behind\r\nDoppelPaymer launched a data leak site. They then threaten victims with the publication of their stolen files on the data leak\r\nsite as part of the ransomware’s extortion scheme.\r\nWhat is DoppelPaymer’s routine?\r\nDoppelPaymer uses a fairly sophisticated routine, starting off with network infiltration via malicious spam emails containing\r\nspear-phishing links or attachments designed to lure unsuspecting users into executing malicious code that is usually\r\ndisguised as a genuine document. This code is responsible for downloading other malware with more advanced capabilities\r\n(such as Emotet) into the victim’s system.\r\nOnce Emotet is downloaded, it will communicate with its command-and-control (C\u0026C) server to install various modules as\r\nwell as to download and execute other malware.\r\nFor the DoppelPaymer campaign, the C\u0026C server was used to download and execute the Dridex malware family, which in\r\nturn is used to download either DoppelPaymer directly or tools such as PowerShell Empire, Cobalt Strike, PsExec, and\r\nMimikatz. Each of these tools is used for various activities, such as stealing credentials, moving laterally inside the network,\r\nand executing different commands, such as disabling security software. \r\nhttps://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html\r\nPage 1 of 3\n\nOnce Dridex enters the system, the malicious actors do not immediately deploy the ransomware. Instead, it tries to move\r\nlaterally within the affected system’s network to find a high-value target to steal critical information from. Once this target is\r\nfound, Dridex will proceed in executing its final payload, DoppelPaymer. DoppelPaymer encrypts files found in the network\r\nas well as fixed and removable drives in the affected system.\r\nFinally, DoppelPaymer will change user passwords before forcing a system restart into safe mode to prevent user entry from\r\nthe system. It then changes the notice text that appears before Windows proceeds to the login screen.\r\nThe new notice text is now DoppelPaymer’s ransom note, which warns users not to reset or shut down the system, as well as\r\nnot to delete, rename, or move the encrypted files. The note also contains a threat that their sensitive data will be shared to\r\nthe public if they do not pay the ransom that is demanded from them.\r\nDoppelPaymer will also drop the Process Hacker executable, its driver, and a stager DLL. DoppelPaymer will create another\r\ninstance of itself that executes the dropped Process Hacker. Once Process Hacker is running, it will load the stager DLL via\r\nDLL Search Order Hijacking. Stager DLL will listen/wait for a trigger from the running DoppelPaymer process.\r\nDoppelPaymer has a crc32 list of processes and services it will terminate. If a process or service in its list is running, it will\r\ntrigger the Process Hacker to terminate it.\r\nWho are affected?\r\nAccording to the FBI notification, DoppelPaymer’s primary targets are organizations in the healthcare, emergency services,\r\nand education. The ransomware has already been involved in a number of attacks in 2020, including disruptions to a\r\ncommunity college as well as police and emergency services in a city in the US during the middle of the year.\r\nDoppelPaymer was particularly active in September 2020, with the ransomware targeting a German hospital that resulted in\r\nthe disruption of communication and general operations. It also fixed its sights on a county E911 center as well as another\r\ncommunity college in the same month.\r\nWhat can organizations do?\r\nOrganizations can protect themselves from ransomware such as DoppelPaymer by ensuring that security best practices are in\r\nplace. These include:\r\nRefraining from opening unverified emails and clicking on any embedded links or attachments in these messages.\r\nRegularly backing up important filesnews article using the 3-2-1 rule: Create three backup copies in two different file\r\nformats, with one of the backups in a separate physical location.\r\nUpdating both software and applications with the latest patches as soon as possible to protect them from\r\nvulnerabilities.\r\nEnsuring that backups are secure and disconnected from the network at the conclusion of each backup session. \r\nAuditing user accounts at regular intervals — in particular those accounts that are publicly accessible, such as\r\nRemote Monitoring and Management accounts.\r\nMonitoring inbound and outbound network traffic, with alerts for data exfiltration in place.\r\nImplementing two-factor authentication (2FA) for user login credentials, as this can help strengthen security for user\r\naccounts\r\nImplementing the principle of least privilege for file, directory, and network share permissions.\r\nIndicators of Compromise (IOCs)\r\nhttps://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html\r\nPage 2 of 3\n\nHash (SHA256) Detection Name\r\n624255fef7e958cc3de9e454d2de4ae1a914a41fedc98b2042756042f68c2b69 Ransom.Win32.DOPPELPAYMER.TGACAR \r\n4c207d929a29a8c25f056df66218d9e8d732a616a3f7057645f2a0b1cb5eb52c Ransom.Win32.DOPPELPAYMER.TGACAQ \r\nc66157a916c7f874bd381a775b8eede422eb59819872fdffafc5649eefa76373 Ransom.Win32.DOPPELPAYMER.TGACAP \r\nSource: https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html\r\nhttps://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html"
	],
	"report_names": [
		"an-overview-of-the-doppelpaymer-ransomware.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434505,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9cf0b062b9605106caa131a6836355dd29e332cc.pdf",
		"text": "https://archive.orkl.eu/9cf0b062b9605106caa131a6836355dd29e332cc.txt",
		"img": "https://archive.orkl.eu/9cf0b062b9605106caa131a6836355dd29e332cc.jpg"
	}
}