DoppelPaymer operators have launched “Dopple” website to leak the stolen information of victims who refuse to pay a ransom. The operators said they have created this website to threaten victims that if they refuse to pay their information such as their names and important corporate data will be leaked on the site.
The operators claim that the site is currently on “test mode” and they mostly use it to shame their victims and publish a few files.
This extortion method was first used by the Maze ransomware operators; they leaked around 9.5GB of stolen data from Medical Diagnostic Laboratories they also released files belonging to Southwire, a wire and cable company from Carrollton, Georgia.
This method is now utilized by other ransomware families including, Nemty, Sodinokibi and DoppelPaymer as well.
DoppelPaymer was first reported in June 2019 however evidence shows that earlier samples of the malware date back to April 2019. Given its recent appearance, DoppelPaymer has managed to quickly become one of the most notorious ransomware out there. DoppelPaymer targeted managed service providers (MSPs) and large organizations in an attempt to access customer networks, admin credentials and encrypt data.
It has been previously reported that the operators of DoppelPaymer threatened victims that they will publish their private data on a dark web site unless they pay the ransom.
If the victims do not pay the demanded ransom, the threat actors leak their information on a seemingly public news website. this data breach could result in victims facing lawsuits, government fines, and financial costs.
This ransomware has many coding similarities with the Bitpaymer ransomware family according to CrowdStrike. bitpaymer was reported to be deployed in cyber-attacks targeting hospitals and other organizations.
The DoppelPaymer threat actors claim that by creating this website, they plan to operate more Data exfiltration attacks.