Cybercrime gang tracked as TA505 has been active since 2014 and focusing on Retail and Banking industries. The group that is known for the distribution of the Dridex Trojan and the
In mid-2017, the group released BitPaymer ransomware (aka FriedEx) that was used in attacks against high profile targets and organizations. The ransomware was being distributed through Remote Desktop Protocol (RDP) brute force attacks.
“CrowdStrike® Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture.” reads the analysis published by CrowdStrike.
“We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER.”
Now experts found a new variant of the ransomware tracked as DoppelPaymer. The discovery suggests that some members of TA505 gang left the group and forked the source code of both Dridex and BitPaymer to develop a new malware.
First variants of BitPaymer initially delivered a ransom note containing the ransom amount and the onion address of the payment portal. Later versions did not include the above info, instead, the variant appeared in the threat landscape since July 2018 only included two emails to negotiate the ransom and to contact to receive the instructions for the payment.
The latest variant observed by the experts in November 2018 includes the victim’s name in the ransom note, it also uses 256-bit AES in cipher block chaining (CBC) mode for encryption.
“Since the update
According to the experts, DoppelPaymer was used for the first time in a targeted attack in June 2019. Experts detected eight distinct malware builds that was
The ransom amounts asked to the victims in the attacks were different and ranged from approximately $25,000 to $1,200,000 worth of Bitcoin.
The ransom note dropped by the DoppelPaymer ransomware doesn’t include the ransom amount, instead, it contains the onion address for a TOR-based payment portal that is identical to the original BitPaymer portal.
The authors of DoppelPaymer improved the source code of the BitPaymer.
DoppelPaymer leverages ProcessHacker, a legitimate
“Both BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have been identified in June and July 2019.” concludes CrowdStrike. “The parallel operations, coupled with the significant code overlap between BitPaymer and DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation,”
(SecurityAffairs – DoppelPaymer ransomare, TA505)