DoppelPaymer is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on June 1, 2019, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: DoppelPaymer Doxware, Doppeled.
Quick Facts
Ransomware Family
DoppelPaymer
First Seen
June 1, 2019
Known Aliases
DoppelPaymer DoxwareDoppeled
How DoppelPaymer Ransomware Works
Targeted Files
Requieres parameters to run -> p1q135no.exe QWD5MRg95gUEfGVSvUGBY84h
https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding
File Encryption Patterns
DoppelPaymer modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..locked..doppeled
Ransom Note and Payment Demands
After encrypting files, DoppelPaymer displays ransom notes demanding payment for file recovery:
file{origin_filename}.readme2unlock.txt
Ransom message:
notes/DOC1.docx.readme2unlock.txt
Note locations:
EveryFile
file{origin_filename}.how2decrypt.txt
Note locations:
EveryFile
Technical Indicators
Associated Executable Files
The following executable files are associated with DoppelPaymer ransomware:
WASpotLife.DLL
msdtc.exe
DoppelPaymer.exe
Doppel3.exe
doppelpaymer.exe
p1q135no.sfx.exe
Elastio Can Help You
Don't let DoppelPaymer ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
This DoppelPaymer ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like DoppelPaymer.