After a period of almost complete inactivity, ransomware group DoppelPaymer rebranded itself to Grief (also known as Pay or Grief). It remains unknown if any of the original ransomware developers are behind the changes, but clues found by security researchers point to a continuation of the “project.”
DoppelPaymer activity began to decline in mid-May, about a week after the attack, the extortionist program DarkSide on one of the largest operators of fuel pipelines in the US Colonial Pipeline. There have been no updates on their data breach site since May 6. The DoppelPaymer group has allegedly decided to wait until public attention to ransomware attacks wanes.
The Grief group became known in June this year. The hackers allegedly stole data from 5 organizations, including one in Mexico. According to experts, DoppelPaymer and Grief used the same encrypted file format and the same distribution channel – the Dridex botnet. Despite attempts by attackers to make Grief look like a standalone ransomware-as-a-service (RaaS), the similarities with DoppelPaymer cannot be ignored.
In addition, cybersecurity researchers at Zscaler analyzed an early sample of the Grief ransomware and noticed that the ransom note pointed to the DoppelPaymer portal. In addition, DoppelPaymer and Grief are based on very similar code that implements “identical encryption algorithms (2048-bit RSA and 256-bit AES), import hashing, and entry point offset calculation.”
Another similarity is that both Grief and DoppelPaymer use the reference to the General Data Protection Regulation (GDPR) as a warning that victims will still face legal fines if the ransom is not paid. – for data leakage.
Catch up on more articles here
Follow us on Twitter here