ETDA ThaiCERT
Report
Search
Home > List all groups > Doppel Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Doppel Spider

NamesDoppel Spider (CrowdStrike)
CountryRussia Russia
MotivationFinancial crime, Financial gain
First seen2019
Description(CrowdStrike) CrowdStrike Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture.

We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by Indrik Spider. However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of Indrik Spider have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation.

DoppelPaymer has been observed to be distributed by Smoke Loader (operated by Smoky Spider) and Emotet (operated by Mummy Spider, TA542).
ObservedSectors: Government.
Countries: Chile, USA.
Tools usedDoppelPaymer.
Operations performedFeb 2020The DoppelPaymer Ransomware is the latest family threatening to sell or publish a victim's stolen files if they do not pay a ransom demand.
<https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid/>
Mar 2020Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay
<https://www.theregister.co.uk/2020/04/10/lockheed_martin_spacex_ransomware_leak/>
Jun 2020DopplePaymer ransomware gang claims to have breached DMI, a major US IT and cybersecurity provider, and one of NASA IT contractors.
<https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/>
Aug 2020UK research university Newcastle University says that it will take several weeks to get IT services back online after DoppelPaymer ransomware operators breached its network and took systems offline on the morning of August 30th.
<https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-hits-newcastle-university-leaks-data/>
Sep 2020Death occurred after a patient was diverted to a nearby hospital after the Duesseldorf University Hospital suffered a ransomware attack.
<https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/>
Information<https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/>
<https://lifars.com/2019/11/from-dridex-to-bitpaymer-ransomware-to-doppelpaymerthe-evolution/>
<https://www.bleepingcomputer.com/news/security/new-doppelpaymer-ransomware-emerges-from-bitpaymers-code/>
<https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/>

Last change to this card: 19 October 2020

Download this actor card in PDF or JSON format

Previous: Deceptikons, DeathStalker
Next: Dungeon Spider

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key