DoppelPaymer Ransomwar Recovery Services

Call us at 949-281-4998 anytime, 24/7.
We understand you need help fast.

Or provide your contact information, and we’ll get back to you quickly.

  • This field is for validation purposes and should be left unchanged.

Has Your Business Fallen Victim to DoppelPaymer Ransomware?

Our Ransomware Response Team is ready to help. Specializing in Helping Businesses remove ransomware & restore encrypted files.

DoppelPaymer Ransomware Recovery Services

Rely on Intelecis to prioritize your data recovery because downtime has a significant negative impact on business performance across all industries. Numerous businesses have benefited from the expertise of our well-equipped Ransomware Team.  

What is DoppelPaymer?  

Although DoppelPaymer’s first known victims were targeted in June 2019, we were able to retrieve previous versions of the malware from April 2019. It is unclear if these early builds were used on victims or if they were only created for testing because they lack many of the new features seen in subsequent iterations.

Eight different malware builds have been found thus far, and three victims have been positively identified. The ransom amounts are 2 BTC, 40 BTC, and 100 BTC. These ransom prices range from about $25,000 to over $1,200,000 based on the USD to BTC exchange rate at the time of writing.

DoppelPaymer’s ransom note resembles those issued by the first BitPaymer in 2018. The ransom amount is not mentioned in the note, but it does provide a URL for a TOR-based payment gateway, and as seen in Figure 4, the keyword DATA is used to refer to the encrypted key instead of the keyword KEY. 

The DoppelPaymer payment gateway is virtually identical to the BitPaymer platform. The victim is still identified by a specific ID and is still referred to as “Bit paymer” on the website. A BTC address and ransom payment instructions are provided on the site along with a ransom amount and countdown timer. Figure 5 below depicts an illustration of the DoppelPaymer ransom portal web page. 

How Does DoppelPaymer Ransomware Work?  

Now that file encryption is threaded, the rate at which files are encrypted may rise. The Address Resolution Protocol (ARP) table of the victim machine, which was acquired via the command arp.exe -a, was parsed by the network enumeration code. The results of domain resolution using nslookup.exe are mixed with the resulting IP addresses of other hosts on the local network. (Earlier versions of BitPaymer used the command net.exe view to list network shares in a similar manner.)

DoppelPaymer is made to only launch after a particular command line input is supplied. A CRC32 checksum of the first input supplied on the command line is calculated by the virus, and it is added with a constant value that is hard-coded in the program. The instruction pointer location is then added by the virus to this result, which serves as the target for a jmp needed to carry on the malware execution. Each build has a distinct value for the hard-coded constant. This number in the sampled analysis was 0x672e6eb7, as can be seen in Figure 6 below. 

What happens when a Dharma attack is initiated? 

Dharma ransomware is spread by spam emails as malicious attachments. One distinctive trait of this type of ransomware is the use of malicious attachments with double file extensions, which may appear to be non-executable under default Windows settings but are actually executable.

Additionally, Dharma ransomware can be hidden in legitimate software installation files. As downloadable executables, ransomware attackers would recommend these installs that seem harmless for various authorized software. 

Need some more information? Check this out!

IT services Orange County

Ransomware, Sandboxing, and How IT Services in Orange County Can Help

Ransomware is gaining worldwide attention recently, especially after the WannaCry attack that infected more than 200,000 computers in over 150 countries…

IT support Orange County

Why is Proactive IT Support in Orange County Better than Reactive?

Reactive IT will ultimately cost you more— at least in most scenarios This is for the same reason that refraining from changing your oil regularly can ruin your car’s engine…

Monster under your bed- Ransomware Attacks

One of business owners’ nightmare is to be attacked by an unknown enemy in the web. A Chicago- based CNA Financial Corporation did not deny nor validate a report from…