April 13, 2024

You’ve nearly definitely heard of the ransomware household often known as DoppelPaymer, if solely as a result of the title itself is a reminder of the double-barrelled blackmail method utilized by many up to date ransomware gangs.

To extend the strain on you to pay up, so-called double-extortionists not solely scramble all of your knowledge information so your corporation stops operating, but additionally steal copies of these information to make use of as additional leverage.

The concept is that in the event you pay up for the decryption key to unlock your information and get your corporation again on the street, the attackers will very generously additionally conform to delete the information they’ve stolen (or so they are saying), reasonably than leaking these information to the media, revealing them the regulator, or promoting them on to different cybercriminals.

Crudely put, the blackmailers are inviting you to pay for them each for a constructive motion (handing over the decryption keys), and for a destructive one (not leaking the stolen knowledge).

Additionally, reasonably clearly, the crooks are hoping that even if in case you have dependable backups and will get your corporation shifting once more by yourself, with out paying for the decryption keys…

… then they could however have the ability to blackmail you into handing over their menaces-money anyway, by promising to maintain their mouths shut about the truth that you suffered a knowledge breach.

Often, double-extortion attackers steal your information of their unencrypted type earlier than garbling them. However they may simply as nicely steal them throughout or after the scrambling course of, provided that they already know the decryption keys.


DoppelPaymer, together with many different cybergangs of this kind, ran their very own on-line “name-and-shame” web site, as famous in a latest press release from Europol:

The felony group behind this ransomware relied on a double extortion scheme, utilizing a leak web site launched by the felony actors in early 2020. German authorities are conscious of 37 victims of this ransomware group, all of them firms. One of the severe assaults was perpetrated in opposition to the College Hospital in Düsseldorf. Within the US, victims paid no less than €40,000,000 between Could 2019 and March 2021.

That’s the unhealthy information.

The excellent news, in the event you can name it that, is the rationale why Europol is writing concerning the DoppelPaymer ransomware proper now.

A mixed operation involving German, Ukrainian and US legislation enforcement has just resulted within the interrogation and arrest of suspects in Germany and Ukraine, and the seizure of digital units in Ukraine for forensic evaluation.

Europol didn’t publish any footage of the gear seized on this case, however we’re assuming that laptops and cell phones, maybe together with autos (that are successfully multi-purpose on-line computing networks in their very own proper nowadays), have been taken away for examination.

Servers should be operating

The press launch didn’t point out whether or not the investigators have been capable of seize or shut down any servers related with this ransomware gang.

Lately, whether or not they’re operated by authentic companies or criminals, servers are likely to run someplace within the cloud, which fairly actually means “on another person’s laptop”, which just about at all times additionally means “some place else, maybe even overseas”.

Sadly, with cautious use of darkish net anonymity instruments and cautious operational safety, criminals can obscure the bodily location of the servers they’re utilizing.

These servers might embrace the web sites the place they publish their name-and-shame knowledge, the databases the place they report the decryption keys of present victims and whether or not they’ve paid, or the “enterprise community” servers the place they join associates to assist them mount their assaults.

So, even when the cops arrest some, many or all of the members of a ransomware gang, that doesn’t at all times cease the ransomware actions, as a result of their infrastructure stays, and might nonetheless be utilized by different gang members or taken over by rivals to proceed the extortion actions.

Likewise, if the cops handle to take down and seize servers which might be very important to a ransomware gang, the identical darkish net anonymity that makes it exhausting to hint forwards from arrested customers to their servers…

…additionally makes it exhausting to hint backwards from seized servers to determine and arrest the customers.

Except the crooks have made technical or operational blunders, after all, akin to once-in-a-while making direct connections to their servers by mistake as an alternative of going via an anonymising service akin to TOR (the Onion router), or counting on different operators within the cybercrime scene to not rat them out accidentally or on objective.


We speak to famend cybersecurity writer Andy Greenberg about his glorious e-book, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.

No audio participant under? Hear directly on Soundcloud.
Choose studying to listening? Full transcript out there.

What to do?

  • Don’t dial again your safety. As welcome as these arrests are, and as helpful because the seized units are more likely to be in serving to the cops to determine but extra suspects, this bust by itself is unlikely to make a major dent within the ransomware scene as a complete. Certainly, on this very case, Europol itself warns that “based on experiences, DoppelPaymer has since rebranded [as a ransomware gang called] ‘Grief’.”
  • Don’t fixate on ransomware alone. Keep in mind that ransomware assaults are generally, maybe typically, the tail-end of an prolonged assault, and even a number of assaults, involving criminals roaming freely via your community. Crooks who can steal knowledge from computer systems throughout your corporation, and who can scramble nearly any information they need on nearly as many laptops and servers they like, can (and infrequently do) perform nearly some other kind of sysadmin-level assault they need whereas they’re in. Unsurprisingly, this rogue “sysadmin” exercise typically consists of quietly opening up holes to let the identical crooks, or another person, again in later.
  • Don’t await risk alerts to drop into your dashboard. In double-extortion ransomware assaults, for instance, the data-stealing stage, the place the crooks are plundering your information earlier than scrambling them, is a useful warning that an assault is actively beneath approach. However with an excellent risk searching crew, whether or not in-house or introduced in as a service, you may intention to detect indicators of assault even sooner than that, ideally even earlier than the attackers get their preliminary beachhead from which they hope to assault your entire community.
  • Don’t pay up in the event you can probably keep away from it. We’ve at all times stated, “We’re not going to guage you in the event you do,” as a result of we’re not those whose enterprise has simply been derailed. However paying up not solely funds the following wave of cybercrime, but additionally could not even work in any respect. Colonial Pipeline infamously spent over $4 million on a decryption software that turned out to be ineffective, and the Dutch Police not too long ago warned of a cyberextortion gang who allegedly made hundreds of thousands “promoting their silence”, just for the stolen knowledge to be leaked anyway.


    In need of time or experience to care for cybersecurity risk response?
    Apprehensive that cybersecurity will find yourself distracting you from all the opposite issues that you must do?

    Check out Sophos Managed Detection and Response:
    24/7 threat hunting, detection, and response  ▶


    Learn our Active Adversary Playbook.
    It is a fascinating examine of 144 real-life assaults by Sophos Discipline CTO John Shier.