DoppelPaymer
DoppelPaymer is a ransomware family and ransomware operation associated in the provided content with Evil Corp lineage and described as an offshoot or evolution connected to BitPaymer. The content states that it shares code and similar tactics with BitPaymer, and that Grief was later described as an offshoot of the DoppelPaymer group. DoppelPaymer is repeatedly described as using double-extortion tactics: operators steal data before encrypting systems and then publish or threaten to publish stolen files on a leak site to increase pressure on victims. Reported activity includes publication of stolen files from victims such as Visser Precision and Foxconn, and claims of selling previously stolen data on the dark web.
The malware has been deployed in enterprise intrusions affecting large organizations, including manufacturing and industrial targets. High-confidence victim examples in the content include Foxconn’s CTBG MX facility in Ciudad Juárez, Mexico, where operators reportedly demanded 1804.0955 BTC (about $34.7 million), claimed to have stolen 100 GB of data, encrypted roughly 1,200 to 1,400 servers, and destroyed 20 to 30 TB of backup data. Other victims explicitly named in the content include Visser Precision, Bretagne Télécom, Compal, the City of Torrance, Hall County in Georgia, Newcastle University, PEMEX, and Banijay Group SAS. CERT-FR reporting cited in the content says the Lockean affiliate first deployed DoppelPaymer in 2020 against a French manufacturing company.
The content links DoppelPaymer distribution and affiliate activity to several initial access ecosystems. SocGholish/FakeUpdates/GhoLoader has been used to deploy DoppelPaymer. TA551, also tracked as Shathak, UNC2420, Gold Cabin, Monster Libra, ATK236, and G0127, is described as a collaborator that helped deliver DoppelPaymer payloads, including via Qbot/QakBot-infected devices. Lockean intrusions were said to commonly begin with Qbot/QakBot delivered via Emotet or TA551, and in at least one case via IcedID, before ransomware deployment. The content also notes code-similarity observations between Emotet dynamic API resolution behavior and Dridex or BitPaymer/DoppelPaymer code.
Behaviorally, the content directly attributes to DoppelPaymer the use of data theft prior to encryption, leak-site extortion, and destructive impact on backups in at least one incident. Mandiant research cited in the content also found process kill lists deployed alongside DoppelPaymer, indicating use of pre-encryption process termination tradecraft to amplify ransomware impact, including in operational technology contexts. Additional defensive-evasion behavior referenced in the content includes abuse of legitimate rootkit removal kits such as GMER to impair or disable defensive tools, though this is presented as behavior observed in relation to DoppelPaymer-linked reporting rather than as a full malware specification.
Associated actors and relationships mentioned in the content include Evil Corp, Indrik Spider, Lockean, TA551, and broader financially motivated intrusion ecosystems involving Qbot/QakBot, Emotet, IcedID, and SocGholish. The content also notes sanctions-related concern around groups descended from or linked to Evil Corp. No standalone IOC set for DoppelPaymer itself is provided in the content, but incident-specific indicators include the Foxconn ransom demand of 1804.0955 BTC, claimed theft of 100 GB of data, encryption of 1,200 to 1,400 servers, destruction of 20 to 30 TB of backups, and use of a Tor-based payment or leak site.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The company’s Mexico operations were previously hit with a ransomware attack in 2020 by the DoppelPaymer gang, which demanded a $34 million ransom... The group stole about 100 GB of files.
Grief is an offshoot of the DoppelPaymer ransomware group that evolved from EvilCorp, said Gershuni.
Lockean activity was first noticed in 2020 when the actor hit a French company in the manufacturing sector and deployed DoppelPaymer ransomware on the network.
"...QakBot infections have led to the deployment of ransomware, including ... DoppelPaymer..."
In Moldova, authorities arrested a 45-year-old foreign national linked to the 2021 DoppelPaymer ransomware attack on Dutch organizations...
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Credential Access
1 technique
Credential Access
Discovery
1 technique
Discovery
Collection
1 technique
Collection
Command and Control
1 technique
Command and Control
Exfiltration
4 techniques
Exfiltration
"...disclosing terabytes of stolen information on shaming sites... we downloaded and parsed through many terabytes of dump data and found a substantial amount of sensitive OT documentation."
The group stole about 100 GB of files. Foxconn did not pay the exorbitant ransom and some of the data was leaked on the dark web.
The company is ranked 28th in Fortune Global 500 and manufactures a wide range of electronic products for major tech companies worldwide... The incident was confirmed ... claims by the Nitrogen ransomware operation earlier this week that they had stolen 8 TB of data and more than 11 million documents.
Impact
5 techniques
Impact
After the ransomware attack, the website of the Mexican facility went down, and the attackers claimed to have destroyed approximately 20-30TB of data.
Tech manufacturing giant Foxconn said its factory in Mexico is slowly returning to normal after a ransomware attack crippled the facility in May.
The attackers asked for a $34 million ransom and claimed to have stolen 100GB of data, encrypted between 1,200 and 1,400 servers and destroyed 20 to 30TB of backup data.
Other
2 techniques
Other
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities... killing security software processes or services, modifying / deleting Registry keys or configuration files... Adversaries may also disable updates...
Recent activity
33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family previously distributed via SocGholish.
Named ransomware family deployed via SocGholish.
DoppelPaymer is referenced as a ransomware family previously involved in attacks targeting Foxconn.
Ransomware family/group referenced as previously targeting a Foxconn plant and demanding a large ransom payment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.