While not departed officially, the DoppelPaymer ransomware gang somewhat slowed down its activities for some time. It now emerges as rebranded entity ‘Grief’ ransomware, possibly to divert focus.
DoppelPaymer Emerges As Grief Ransomware
Researchers have found another ransomware in the wild that is more of a rebrand of an earlier threat. Identified as Grief, or the PayOrGrief, this ransomware bears an uncanny resemblance to DoppelPaymer.
DoppelPaymer gang remained active in the wild for quite some time, targeting numerous high-profile entities. However, amidst the chaos after the Colonial Pipeline ransomware attack, the threat actors apparently hibernated to escape the unsolicited attention from the security agencies. Although, they never announced a shutdown nor went offline.
Nonetheless, researchers have now caught the same ransomware with a different name in the wild, potentially indicating that the attackers took a break to work on this spin-off.
Basically, Grief ransomware first caught attention in June, with some samples dating back to May 2021. Initially, it appeared to be a new threat. However, according to ZScaler, the initial Grief (aka PayOrGrief) samples directly hint at it being DoppelPaymer. As stated,
This sample is particularly interesting because it contains the Grief ransomware code and ransom note, but the link in the ransom note points to the DoppelPaymer ransom portal. This suggests that the malware author may have still been in the process of developing the Grief ransom portal.
Nevertheless, the threat actors tried hard to make the new version a unique one by incorporating several changes. For instance, Grief demands the ransom in Monero (XMR) and not Bitcoin (BTC), probably to stay under the radar. Also, Grief’s website mentions EU GDPR security fines to lure victim firms into paying the ransom to avoid fines.
While it isn’t clear if the actual DoppelPaymer threat actors are driving the Grief campaign or some other attackers are taking advantage of it. Yet, DoppelPaymer doesn’t remain unique here given the recent re-appearance of DarkSide and Avaddon ransomware gangs with different names.