AhnLab cybersecurity researchers: The malware is downloaded and executed from a WSF file within a compressed file, delivered via URL in phishing emails.
Bleeping Computer: DoppelPaymer is back with a new name: Grief. The two Ransomware-as-a-Service operations exploit the same encrypted file format and the distribution channel: the Dridex botnet
DoppelPaymer ransomware operation is back with a new name: Grief (aka Pay or Grief). It has been denounced by Bleeping Computer. It is unclear if any of the original developers is still behind this ransomware-as-a-service (RaaS) but clues uncovered by cybersecurity researchers point to a continuation of the “project.” DoppelPaymer’s activity started to decline in mid-May, about a week after DarkSide ransomware’s attack on Colonial Pipeline, one of the largest fuel pipeline operators in the U.S. However, Fabian Wosar of Emsisoft explained that the two malware have the same encrypted file format and used the same distribution channel, the Dridex botnet. Despite the cybercrime actor’s effort to make Grief look like a separate RaaS, the similarities to DoppelPaymer are so striking that a connection between the two is impossible to dismiss.