Home > List all groups > Doppel Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Doppel Spider

NamesDoppel Spider (CrowdStrike)
Gold Heron (SecureWorks)
Grief Group (self given)
CountryRussia Russia
MotivationFinancial gain
First seen2019
Description(CrowdStrike) CrowdStrike Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture.

We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by Indrik Spider. However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of Indrik Spider have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation.

DoppelPaymer has been observed to be distributed by Smoke Loader (operated by Smoky Spider) and Emotet (operated by Mummy Spider, TA542).
ObservedSectors: Government.
Countries: Chile, USA.
Tools usedDoppelPaymer.
Operations performedFeb 2020The DoppelPaymer Ransomware is the latest family threatening to sell or publish a victim's stolen files if they do not pay a ransom demand.
Mar 2020Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay
Jun 2020DopplePaymer ransomware gang claims to have breached DMI, a major US IT and cybersecurity provider, and one of NASA IT contractors.
Aug 2020UK research university Newcastle University says that it will take several weeks to get IT services back online after DoppelPaymer ransomware operators breached its network and took systems offline on the morning of August 30th.
Sep 2020Death occurred after a patient was diverted to a nearby hospital after the Duesseldorf University Hospital suffered a ransomware attack.
Oct 2020On October 7th, Hall County in Georgia announced that they had suffered a ransomware attack that impacted their networks and phone systems.
Nov 2020Compal, the second-largest laptop manufacturer in the world, hit by ransomware
Nov 2020MasterChef, Big Brother producer hit by DoppelPaymer ransomware
Dec 2020Foxconn electronics giant hit by ransomware, $34 million ransom
Feb 2021Kia Motors America suffers ransomware attack, $20 million ransom
Apr 2021Breach of the Illinois Attorney General’s Office
Jul 2021DoppelPaymer ransomware gang rebrands as the Grief group

Last change to this card: 09 August 2021

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key