Doppel Paymer ransomware operation made a rebranding move.
Following a period of little or no activity, now they are back and DoppelPaymer rebranded as Grief (alias pay or grief).
Though there isn’t any clue whether the original developers are still behind the ransomware-as-a-service (RaaS), a few security researchers point out that it is a continuation of the project.
DoppelPamer’s activity began to fall in mid-May, just a week following the DarkSide ransomware’s attack on Colonial Pipeline, one of the biggest fuel pipeline operators in the U.S.
Since May 6, it seemed like DoppelPaymer was taking a step back with no updates on their leak website, anticipating the public’s attention to ransomware attacks to disperse.
But, the previous month security researchers indicated that Grief and DoppelPaymer were names for the similar threat.
Fabian Wosar of Emsisoft told that both ransomware operations have a similar encrypted file format and utilized the same distribution channel,i.e: the Dridex botnet.
In spite of the threat actor’s attempt to make Grief look like a separate RaaS, the similarities to DoppelPaymer are so surprising that it seems there is a connection between the two.
The relationship between the two increases further, to their leak sites. Despite the fact that visually they could not be more unlike, similarities overflow, just like the captcha code that limits automated crawling of the website.
Additionally, the two ransomware threats depend upon extremely similar code that implements “identical encryption algorithms (2048-bit RSA and 256-bit AES), import hashing, and entrance point offset calculation.”
A ransomware gang rebranding is not certainly looking to wipe off their tracks and possibly be doing it to avoid any government sanctions that would bar victims from paying the ransom.
Looking for more Security News, subscribe to our newsletter and get regular updates.
Featured Image is from: https://vpnoverview.com/internet-safety/cybercrime/botnets