Defending against DoppelPaymer – the latest ransomware incident

DoppelPaymer Banner

It’s been said that the first ransomware attack took place as far back as 1989. Delegates who’d attended the World Health Organization AIDS conference in Stockholm were sent floppy discs containing malicious code that installed itself onto MS-DOS systems.

After each machine was booted up for the 90th time, the trojan hid all the directories and encrypted the names of all the files on the drive. Victims were then sent a note saying that their software lease had expired and that they must $189 by post to regain access to their systems.
We’ve come a long way since the days of floppy discs but the principle of exhorting payment in return for access to data and systems that have been hacked remains the same today. Ransomware is one of the biggest cybersecurity threats there is and the recent DoppelPaymer attack showed that the threat is not about to lessen any time soon.

What is DoppelPaymer?
DoppelPaymer is an evolution of the BitPaymer ransomware, and first came to light in the summer of 2019. BitPaymer itself emerged as a way of utilizing Dirdex to move laterally and proliferate within a network.

DoppelPaymer is taking ransomware to another level. Whereas previous ransomware threats only held the data ransom to the data owner. with DoppelPaymer, the data is held to ransom with the added risk that it is made publicly available. This has significant implications for the data owner as it now becomes a data breach.

The recent high-profile attack on Visser has caught people’s attention. This is partly because of the organization being held to ransom – Visser is a parts manufacturer to major brands such as Boeing, Tesla and SpaceX – and partly because of DoppelPaymer’s nature.
It’s file-encrypting malware which first exfiltrates a company’s data and only discloses the data theft when that company goes to the ransomware’s website to pay the ransom. This means that organizations might not even be aware of their data being exfiltrated, a highly vulnerable place to be in.

DoppelPaymer relies on employees opening the email message, which contains a Word Document and password so that the user can open the file – once this has happened then the ransomware can move across a network and take all the data it wishes.

Effective mitigation against DoppelPaymer
The threat posed by DoppelPaymer has rightly got many enterprise cybersecurity teams concerned. While combatting ransomware does involve a number of different elements, a key element is of course, the right cybersecurity. Many of our customers make use of our Adaptive Data Loss Prevention (A-DLP) features to help defend against ransomware attacks. This includes structural sanitization to detect and immediately remove malicious (active) code and hidden payloads.

However, in the case of DoppelPaymer, structural sanitization cannot detect what’s inside the file, so we can only use the fact that the file is encrypted. Organizations can build policy to only allow password-protected documents from trusted senders, which will go a long way in mitigating against DoppelPaymer. Ideally though, users should move to use email encryption as it is much more secure.

The ransomware threat is only going to grow as cyber criminals become more aggressive and targeted, and their approaches become more sophisticated. Enterprises are putting their IP, data and reputation at risk by not mitigating properly against ransomware, not to mention the increasingly eye-watering ransom demands that are becoming the norm.

How prepared would your organization be if it was facing a DoppelPaymer attack? If you aren’t sure, then why not get in touch with one of our ransomware experts who can talk you through how Clearswift can help protect you against it?


*** This is a Security Bloggers Network syndicated blog from Clearswift Blog authored by christopher.hood. Read the original post at: