{
	"id": "437375e8-72c2-4c2d-b79e-9c4ba7c46cc5",
	"created_at": "2026-04-06T00:06:51.95859Z",
	"updated_at": "2026-04-10T03:35:29.004198Z",
	"deleted_at": null,
	"sha1_hash": "d677b2a924c424b614fcffb0118572f5c9b23ca1",
	"title": "Dark Web Threat Profile: Grief Ransomware Group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54028,
	"plain_text": "Dark Web Threat Profile: Grief Ransomware Group\r\nPublished: 2021-11-02 · Archived: 2026-04-05 13:32:36 UTC\r\nNew ransomware called Grief was considered to be a new operation at first. Security researchers noticed that a\r\nnew Grief gang carries similarities with the DoppelPaymer crew. On the other hand, DoppelPaymer was\r\nconsidered based on the BitPaymer ransomware (which first emerged in 2017) due to the connections in their\r\ncode, ransom notes, and payment portals.\r\nGrief: A Rebranding Story \r\nDoppelPaymer’s activity started to decrease in mid-May, approximately a week after DarkSide ransomware’s\r\nattack on Colonial Pipeline, one of the biggest fuel pipeline operators in the U.S. \r\nBecause there have been no updates on their leak site since May 6, 2021, it looked like the DoppelPaymer gang\r\nwas taking a step back, waiting for the public’s attention to ransomware attacks to disappear. \r\nHowever, after months of silence, the DoppelPaymer ransomware gang appears to have rebranded itself to\r\n“Grief.” News about Grief ransomware appeared in early June when it was believed to be a new operation, but\r\nlater, researchers discovered a malware sample dated May 17.\r\nGrief vs. DoppelPaymer: Their Similarities and Differences\r\nAlthough the threat actor tried to make Grief look like a separate RaaS (Ransomware as a Service), the similarities\r\nto DoppelPaymer are so apparent that a connection between the two is impossible to dismiss. The sample found\r\nwith a compilation date of May 17 contains the Grief ransomware code and the ransom note, but the link in the\r\nransom note points to the DoppelPaymer ransom portal. \r\nGroups’ leak sites are almost identical, including shared code that displays a captcha to prevent automated\r\ncrawling. The ransomware groups use similar code with the same encryption algorithms (2048-bit RSA and 256-\r\nbit AES), entry point offset calculation, and import hashing. Another similarity is the EU General Data Protection\r\nRegulation (GDPR) on their leak site to alert non-paying victims. \r\nLog in Screen of Leak Sites Of Grief and DoppelPaymer\r\nComparison Table for the Differences between Grief and DoppelPaymer\r\nBased on these similarities and very few differences, analysts have concluded that Grief is rebranding\r\nDoppelPaymer. The new effort by DoppelPaymer seems to be more about staying low profile than going\r\ncomplicated in nature.\r\nGrief Wants to Play a Game: Their Pressure Tactics\r\nhttps://socradar.io/dark-web-threat-profile-grief-ransomware-group/\r\nPage 1 of 3\n\nGrief Ransomware gang said, “We wanna play a game” in a message posted to its Tor-hosted leak site on\r\nSeptember 13, 2021. The statement says they will delete a victim’s decryption key if they hire a negotiation\r\ncompany. Grief is not the first ransomware group that came up with this approach.\r\nAs a new tactic for increasing the pressure on victims, the Ragnar Locker ransomware gang announced a warning\r\non their darknet leak site. They stated that from this moment if any victim hires a recovery company for\r\nconsultations or sends requests to the police, FBI, or investigators, they will consider this as a hostile intent and\r\nlaunch the publication of complete compromised data.\r\nAs another pressure tactic, there is a catchy reference to GDPR (General Data Protection Regulation) on their\r\nlanding page. The group is trying to motivate victims to pay them earlier to prevent possible issues with European\r\nregulators, which is one of the extortion tactics. The GDPR allows the EU’s Data Protection Authorities to issue\r\npenalties of up to €20 million or 4% of annual global turnover (whichever is higher), which will be a higher price\r\nthan a possible ransom payment to ransomware gang.\r\nHomepage of Grief Ransomware Leak Site and The GDPR Regulation on It\r\nTarget Profile of Grief Ransomware Group\r\nAt present, there are over two dozen victims on the Grief leak site, and it looks like the actor has been busy, but\r\nstill, their target profile cannot be determined certainly. However, it can be stated, according to their recent\r\nvictims, that Grief has no moderate attitude towards schools, hospitals, or non-profitable charitable foundations\r\nsuch as Babuk does.\r\nAlso, According to the FBI notification, their origin gang DoppelPaymer’s initial targets were organizations in\r\nhealthcare, emergency services, and education.\r\nGrief Ransomware Gang Post Listed on SOCRadar’s DarkMirror\r\nTactics, Techniques, and Procedures (TTP) of Grief\r\nRansomware gangs usually destroy shadow copies (T1490 Inhibit System Recovery), but Grief is not observed\r\ndoing this. Its reason could be that Grief was designed for the operator to delete shadow copies manually or for\r\nother reasons. It is vital because if a victim has shadow copies enabled on a machine, they may restore missed\r\ndata. Grief setting the system to boot from safe mode with minimum services available and no network\r\nconnectivity is remarkable because very few ransomware families do this.\r\nGrief has a unique way of setting itself up for persistence. It adjusts a legitimate Windows Service configuration to\r\nrun the malware. Grief chooses a legitimate Windows Service and replaces the ImagePath registry value of the\r\nservice’s configuration to execute the ransomware again at the next boot (T1543.003 Create or Modify System\r\nProcess: Windows Service). It guarantees that the next time the system begins, Grief operates again and returns\r\nthe system to safe mode\r\nDiscover SOCRadar® Free Edition\r\nWith SOCRadar® Free Edition, you’ll be able to:\r\nhttps://socradar.io/dark-web-threat-profile-grief-ransomware-group/\r\nPage 2 of 3\n\nDiscover your unknown hacker-exposed assets\r\nCheck if your IP addresses tagged as malicious\r\nMonitor your domain name on hacked websites and phishing databases\r\nGet notified when a critical zero-day vulnerability is disclosed\r\nFree for 12 months for 1 corporate domain and 100 auto-discovered digital assets.\r\nTry for free\r\nSource: https://socradar.io/dark-web-threat-profile-grief-ransomware-group/\r\nhttps://socradar.io/dark-web-threat-profile-grief-ransomware-group/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://socradar.io/dark-web-threat-profile-grief-ransomware-group/"
	],
	"report_names": [
		"dark-web-threat-profile-grief-ransomware-group"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434011,
	"ts_updated_at": 1775792129,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d677b2a924c424b614fcffb0118572f5c9b23ca1.pdf",
		"text": "https://archive.orkl.eu/d677b2a924c424b614fcffb0118572f5c9b23ca1.txt",
		"img": "https://archive.orkl.eu/d677b2a924c424b614fcffb0118572f5c9b23ca1.jpg"
	}
}