DoppelPaymer is following the steps of other ransomware attackers by publicly announcing that it intends to sell victims’ data to re-sellers or disclose the stolen files to the public.
Ransomware operators who perform network-wide encryption have invented a way of stealing files before encryption of any devices. Some of the ransomware sites that have already executed these threats include Maze.
that was the first to disclose files belonging to Allied Universal after the company failed to pay off the requested ransom. Since November 2019 when this happened, Sodinokibi/Revil Ransomware published victims’ files with Nemty ransomware declaring that they will follow suit.
Maze ransomware continues to make headlines in its commitment to commit data breaches. Earlier this month, the FBI warned the US companies about the Maze which at some point was behaving like a government agency, before it steals data from them. Security is heightened as other ransomware continues causing mayhem.
DoppelPaymer disclosed to BeepingComputer of having sold their victims data on the darknet after they had failed to pay the requested ransom. The ransomware Tor payment site reveals its threats to victims, informing them of their stolen files and threats to sell them off or disclose to the public, if they do not pay.
DoppelPaymer, in its support of Maze and plans to emulate Maze’s actions, has stated that the sale of stolen data helps to cover some costs and also to publicize the unpaid for data increases the success rate for any given ransomware establishment.
To prove that the ransomware is indeed operating with stolen data and that they plan to make it big, DoppelPaymer shared two Excel spreadsheets showing a list of Windows domain users on two compromised networks.
A Switch to a New Extension
DoppelPaymer was an offshoot of BitPaymer ransomware and the recent change of extension to a new dedicated .doppeled extension for encrypted files sets it out as different from BitPaymer. This move is also aimed at ensuring that their victims can easily identify what ransomware encrypted their network.
Following the move, companies ought to be on the lookout for any ransomware attacks and in the event of an attack, prompt action should be taken to safeguard the victim and ensure the least damage.
Tap here to join the discussion