Microsoft warns of growing DoppelPaymer Ransomware threat

The Microsoft Security Response Center (MSRC) warned customers of the DoppelPaymer ransomware and provided useful information on the threat.

The Microsoft Security Response Center (MSRC) warned customers of the DoppelPaymer ransomware, the tech giant provided useful information on the threat and how it spreads.

“Microsoft has been investigating recent attacks by malicious actors using the Dopplepaymer ransomware. There is misleading information circulating about Microsoft Teams, along with references to RDP (BlueKeep), as ways in which this malware spreads.” reads the advisory published by Microsoft. “Our security research teams have investigated and found no evidence to support these claims. In our investigations we found that the malware relies on remote human operators using existing Domain Admin credentials to spread across an enterprise network.”

According to Microsoft, ransomware attacks continue to target enterprise environments through social engineering, for this reason, the adoption of best practices is the best way to protect them.

The experts suggest enforcing good credential hygiene, least privilege, and network segmentation as key measures to prevent such kind of incidents.

“These best practices can help prevent Dopplepaymer operators and other attackers from disabling security tools and using privileged credentials to destroy or steal data or hold it for ransom.” continues Microsoft.

Microsoft has shared more information on ransomware and how to stay safe online here, it urges organizations to:

• Keep your Windows Operating System and antivirus up-to-date. Upgrade to Windows 10.
• Regularly back-up your files in an external hard-drive.
• Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history.
• Use OneDrive for Consumer or for Business.
• Beware of phishing emails, spams, and clicking malicious attachment.
• Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
• Disable the loading of macros in your Office programs.
• Disable your Remote Desktop feature whenever possible.
• Use two factor authentication.
• Use a safe and password-protected internet connection.
• Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.).

In November, the Mexican state-owned oil company Petróleos Mexicanos (Pemex) was infected with the DoppelPaymer ransomware.

Early November, the DoppelPaymer ransomware disrupted IT operations in the territory of Nunavut (Canada), all government services requiring access to electronic data were impacted.

The TA505 cybercrime group that is known for the distribution of the Dridex Trojan and the Locky ransomware, in mid-2017 released the BitPaymer ransomware (aka FriedEx) that was used in attacks against high profile targets and organizations. The ransomware was being distributed through Remote Desktop Protocol (RDP) brute force attacks.

In July, CrowdStrike experts found a new variant of the ransomware tracked as DoppelPaymer. The discovery suggests that some members of TA505 gang left the group and forked the source code of both Dridex and BitPaymer to develop new malware. Some of the crooks behind the Dridex Trojan have split from the gang and released a forked version of the BitPaymer ransomware dubbed DoppelPaymer.

Both BitPaymer and DoppelPaymer continue to operate in parallel since then.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – DoppelPaymer ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]